Merge branch 'release-0.24'

Author: longsleep

Makefile.am

@@ -124,6 +124,7 @@ install:
 	@echo "Installing static resources to: $(SHARE)"
 	$(INSTALL) -d $(BIN)
 	$(INSTALL) -d $(SHARE)/www/html
+	$(INSTALL) -d $(SHARE)/www/html/sandboxes
 	$(INSTALL) -d $(SHARE)/www/static
 	$(INSTALL) -d $(SHARE)/www/static/img
 	$(INSTALL) -d $(SHARE)/www/static/sounds
@@ -133,7 +134,8 @@ install:
 	$(INSTALL) -d $(SHARE)/www/static/js/libs/pdf
 	$(INSTALL) -d $(SHARE)/www/static/js/sandboxes
 	$(INSTALL) bin/$(EXENAME) $(BIN)
-	$(INSTALL) html/* $(SHARE)/www/html
+	$(INSTALL) html/*.html $(SHARE)/www/html
+	$(INSTALL) html/sandboxes/*.html $(SHARE)/www/html/sandboxes
 	$(INSTALL) static/img/* $(SHARE)/www/static/img
 	$(INSTALL) static/sounds/* $(SHARE)/www/static/sounds
 	$(INSTALL) static/fonts/* $(SHARE)/www/static/fonts

build/build.js

@@ -50,10 +50,7 @@
 			]
 		},
 		{
-			name: 'base',
-			include: [
-				'pdf.compatibility'
-			]
+			name: 'base'
 		},
 		{
 			name: 'app',
@@ -64,14 +61,21 @@
 			inlineText: true,
 		},
 		{
-			name: 'pdf',
+			name: 'libs/pdf/pdf',
 			dir: './out/libs/pdf',
-			exclude: [
-				'base'
-			]
+			override: {
+				skipModuleInsertion: true
+			}
+		},
+		{
+			name: 'libs/pdf/compatibility',
+			dir: './out/libs/compatibility',
+			override: {
+				skipModuleInsertion: true
+			}
 		},
 		{
-			name: 'pdf.worker',
+			name: 'libs/pdf/pdf.worker',
 			dir: './out/libs/pdf',
 			override: {
 				skipModuleInsertion: true

debian/changelog

@@ -1,3 +1,13 @@
+spreed-webrtc-server (0.24.1) precise; urgency=low
+
+  * Load sandboxes on demand, generated by server.
+  * ODF and PDF sandboxes now use CSP from HTTP response header.
+  * No longer include obsolete sandbox stuff in base scripts.
+  * Sandbox iframes are now always created on demand.
+  * Don't return users twice in "Welcome" from global room.
+
+ -- Simon Eisenmann <[email protected]>  Fri, 03 Jul 2015 11:43:56 +0200
+
 spreed-webrtc-server (0.24.0) precise; urgency=low
 
   * Added hover actions on buddy picture in group chat.

static/partials/odfcanvas_sandbox.html renamed to html/sandboxes/odfcanvas_sandbox.html

@@ -1,8 +1,8 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>WebODF Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__; img-src data:; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -35,6 +35,6 @@
 		<div id="container">
 			<div id="odfcanvas"></div>
 		</div>
-		<script src="__WEBODF_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-webodf-url="__WEBODF_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/webodf.js" data-parent-origin="<%.Origin%>" data-webodf-url="<%.Cfg.S%>/js/libs/webodf.js"></script>
 	</body>
 </html>

static/partials/pdfcanvas_sandbox.html renamed to html/sandboxes/pdfcanvas_sandbox.html

@@ -1,8 +1,8 @@
-<!DOCTYPE html>
+<!doctype html>
 <html>
 	<head>
 		<title>pdf.js Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__ 'unsafe-eval'; img-src 'self'; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -29,6 +29,6 @@
 		<div id="container">
 			<canvas id="canvas0"></canvas><canvas id="canvas1"></canvas>
 		</div>
-		<script src="__PDFJS_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__" data-pdfjs-url="__PDFJS_URL__"  data-pdfjs-worker-url="__PDFJS_WORKER_URL__" data-pdfjs-compatibility-url="__PDFJS_COMPATIBILITY_URL__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/pdf.js" data-parent-origin="<%.Origin%>" data-pdfjs-url="<%.Cfg.S%>/js/libs/pdf/pdf.js" data-pdfjs-worker-url="<%.Cfg.S%>/js/libs/pdf/pdf.worker.js" data-pdfjs-compatibility-url="<%.Cfg.S%>/js/libs/pdf/compatibility.js"></script>
 	</body>
 </html>

static/partials/youtubevideo_sandbox.html renamed to html/sandboxes/youtubevideo_sandbox.html

@@ -2,7 +2,8 @@
 <html>
 	<head>
 		<title>YouTube Player Sandbox</title>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src __PARENT_ORIGIN__ https://www.youtube.com https://s.ytimg.com 'unsafe-eval'; frame-src https://www.youtube.com; style-src 'unsafe-inline'">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%> https://www.youtube.com https://s.ytimg.com 'unsafe-eval'; frame-src https://www.youtube.com; style-src 'unsafe-inline'">
+		<base href="<%.Cfg.B%>">
 		<style type="text/css">
 		html, body {
 			height:100%;
@@ -22,6 +23,6 @@
 	</head>
 	<body>
 		<div id="youtubeplayer"></div>
-		<script src="__YOUTUBE_SANDBOX_JS_URL__" data-parent-origin="__PARENT_ORIGIN__"></script>
+		<script src="<%.Cfg.S%>/js/sandboxes/youtube.js" data-parent-origin="<%.Origin%>"></script>
 	</body>
 </html>

src/app/spreed-webrtc-server/context.go

@@ -30,4 +30,5 @@ type Context struct {
 	Languages []string
 	Room      string `json:"-"`
 	Scheme    string `json:"-"`
+	Origin    string `json:",omitempty"`
 }

src/app/spreed-webrtc-server/main.go

@@ -36,10 +36,13 @@ import (
 	"log"
 	"net/http"
 	_ "net/http/pprof"
+	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	goruntime "runtime"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"
 )
@@ -75,6 +78,20 @@ func roomHandler(w http.ResponseWriter, r *http.Request) {
 
 }
 
+func sandboxHandler(w http.ResponseWriter, r *http.Request) {
+
+	vars := mux.Vars(r)
+	// NOTE(longsleep): origin_scheme is window.location.protocol (eg. https:, http:).
+	originURL, err := url.Parse(fmt.Sprintf("%s//%s", vars["origin_scheme"], vars["origin_host"]))
+	if err != nil || originURL.Scheme == "" || originURL.Host == "" {
+		http.Error(w, "Invalid origin path", http.StatusBadRequest)
+		return
+	}
+	origin := fmt.Sprintf("%s://%s", originURL.Scheme, originURL.Host)
+	handleSandboxView(vars["sandbox"], origin, w, r)
+
+}
+
 func makeImageHandler(buddyImages ImageCache, expires time.Duration) http.HandlerFunc {
 
 	return func(w http.ResponseWriter, r *http.Request) {
@@ -158,6 +175,42 @@ func handleRoomView(room string, w http.ResponseWriter, r *http.Request) {
 
 }
 
+func handleSandboxView(sandbox string, origin string, w http.ResponseWriter, r *http.Request) {
+
+	w.Header().Set("Content-Type", "text/html; charset=UTF-8")
+	w.Header().Set("Expires", "-1")
+	w.Header().Set("Cache-Control", "private, max-age=0")
+
+	sandboxTemplateName := fmt.Sprintf("%s_sandbox.html", sandbox)
+
+	// Prepare context to deliver to HTML..
+	if t := templates.Lookup(sandboxTemplateName); t != nil {
+
+		// CSP support for sandboxes.
+		var csp string
+		switch sandbox {
+		case "odfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s; img-src data: blob:; style-src 'unsafe-inline'", origin)
+		case "pdfcanvas":
+			csp = fmt.Sprintf("default-src 'none'; script-src %s 'unsafe-eval'; img-src 'self' data: blob:; style-src 'unsafe-inline'", origin)
+		default:
+			csp = "default-src 'none'"
+		}
+		w.Header().Set("Content-Security-Policy", csp)
+
+		// Prepare context to deliver to HTML..
+		context := &Context{Cfg: config, Origin: origin, Csp: true}
+		err := t.Execute(w, &context)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+
+	} else {
+		http.Error(w, "404 Unknown Sandbox", http.StatusNotFound)
+	}
+
+}
+
 func runner(runtime phoenix.Runtime) error {
 
 	log.SetFlags(log.LstdFlags | log.Lmicroseconds)
@@ -257,10 +310,21 @@ func runner(runtime phoenix.Runtime) error {
 	config = NewConfig(runtime, tokenProvider != nil)
 
 	// Load templates.
-	tt := template.New("")
-	tt.Delims("<%", "%>")
-
-	templates, err = tt.ParseGlob(path.Join(rootFolder, "html", "*.html"))
+	templates = template.New("")
+	templates.Delims("<%", "%>")
+
+	// Load html templates folder
+	err = filepath.Walk(path.Join(rootFolder, "html"), func(path string, info os.FileInfo, err error) error {
+		if err == nil {
+			if strings.HasSuffix(path, ".html") {
+				_, err = templates.ParseFiles(path)
+				if err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+	})
 	if err != nil {
 		return fmt.Errorf("Failed to load templates: %s", err)
 	}
@@ -335,7 +399,7 @@ func runner(runtime phoenix.Runtime) error {
 		runtime.DefaultHTTPSHandler(r)
 	}
 
-	// Add handlers.
+	// Prepare services.
 	buddyImages := NewImageCache()
 	codec := NewCodec(incomingCodecLimit)
 	roomManager := NewRoomManager(config, codec)
@@ -344,6 +408,8 @@ func runner(runtime phoenix.Runtime) error {
 	sessionManager := NewSessionManager(config, tickets, hub, roomManager, roomManager, buddyImages, sessionSecret)
 	statsManager := NewStatsManager(hub, roomManager, sessionManager)
 	channellingAPI := NewChannellingAPI(config, roomManager, tickets, sessionManager, statsManager, hub, hub, hub)
+
+	// Add handlers.
 	r.HandleFunc("/", httputils.MakeGzipHandler(mainHandler))
 	r.Handle("/static/img/buddy/{flags}/{imageid}/{idx:.*}", http.StripPrefix(config.B, makeImageHandler(buddyImages, time.Duration(24)*time.Hour)))
 	r.Handle("/static/{path:.*}", http.StripPrefix(config.B, httputils.FileStaticServer(http.Dir(rootFolder))))
@@ -354,6 +420,9 @@ func runner(runtime phoenix.Runtime) error {
 	// Simple room handler.
 	r.HandleFunc("/{room}", httputils.MakeGzipHandler(roomHandler))
 
+	// Sandbox handler.
+	r.HandleFunc("/sandbox/{origin_scheme}/{origin_host}/{sandbox}.html", httputils.MakeGzipHandler(sandboxHandler))
+
 	// Add API end points.
 	api := sloth.NewAPI()
 	api.SetMux(r.PathPrefix("/api/v1/").Subrouter())

src/app/spreed-webrtc-server/roomworker.go

@@ -207,10 +207,12 @@ func (r *roomWorker) GetUsers() []*DataSession {
 			}
 		}
 		r.mutex.RUnlock()
-		// Include connections to global room.
-		for _, ec := range r.manager.GlobalUsers() {
-			if !appender(ec) {
-				break
+		if r.id != r.manager.globalRoomID {
+			// Include connections to global room.
+			for _, ec := range r.manager.GlobalUsers() {
+				if !appender(ec) {
+					break
+				}
 			}
 		}
 

static/js/directives/odfcanvas.js

@@ -20,7 +20,7 @@
  */
 
 "use strict";
-define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html'], function(require, _, $, sandboxTemplate) {
+define(['require', 'underscore', 'jquery'], function(require, _, $) {
 
 	return ["$window", "$compile", "$http", "translation", "safeApply", "restURL", "sandbox", function($window, $compile, $http, translation, safeApply, restURL, sandbox) {
 
@@ -31,14 +31,13 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 		var controller = ['$scope', '$element', '$attrs', function($scope, $element, $attrs) {
 
 			var container = $($element);
-
 			var odfCanvas;
-
-			var template = sandboxTemplate;
-			template = template.replace(/__PARENT_ORIGIN__/g, $window.location.protocol + "//" + $window.location.host);
-			template = template.replace(/__WEBODF_SANDBOX_JS_URL__/g, restURL.createAbsoluteUrl(require.toUrl('sandboxes/webodf') + ".js"));
-			template = template.replace(/__WEBODF_URL__/g, restURL.createAbsoluteUrl(require.toUrl('webodf') + ".js"));
-			var sandboxApi = sandbox.createSandbox($("iframe", container)[0], template);
+			var url = restURL.sandbox("odfcanvas");
+			var sandboxApi = sandbox.createSandbox(container, null, url, "allow-scripts", null, {
+				allowfullscreen: true,
+				mozallowfullscreen: true,
+				webkitallowfullscreen: true
+			});
 
 			sandboxApi.e.on("message", function(event, message) {
 				var msg = message.data;
@@ -231,7 +230,7 @@ define(['require', 'underscore', 'jquery', 'text!partials/odfcanvas_sandbox.html
 		return {
 			restrict: 'E',
 			replace: true,
-			template: '<div class="canvasContainer odfcontainer"><iframe allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true" sandbox="allow-scripts"></iframe></div>',
+			template: '<div class="canvasContainer odfcontainer"></div>',
 			controller: controller
 		};