Dear all,
in the case of Readium-JS-viewer (i.e. the cloud reader, I have not
checked the Chrome extension yet), the content-iframes reference EPUB
documents that have the same origin as the host application. In other
words, the HTML wrapper that provides the "page" layout for one or two
iframes side-by-side (+ app "chrome" / UI menus, etc.) is exposed to
potential security threats. For example, an EPUB can easily access and
modify the host/shell HTML markup, invoke Javascript code, corrupt the
e-book library, steal sensitive user data, etc.
window.parent.document.body.innerHTML = "HACKED !!";
HTML5 provides the iframe@sandbox attribute, so we could easily
restrict our content iframes with:
<iframe sandbox="allow-scripts">
(and perhaps "allow-forms" as well)
We should obviously disable "allow-top-navigation" (by omission in the
@sandbox attribute).
We do not want "allow-same-origin", as that's the problem we are
trying to fix in the first place.
...Unfortunately, the Readium framework NEEDS "allow-same-origin" in
order to (1) inject the window.navigator.epubReadingSystem, (2) apply
the installHookFunction, and (3) access iframe.contentDocument from
various places in our code.
Worth noting: the iframe@sandbox attribute values are taken into
account by the web-browser when the iframe@src is SET (i.e. when the
hosted document is loaded), so we cannot temporarily change the
sandboxing conditions just to execute (1) (2) and (3). At least,
that's the behaviour I observed when I experimented with Safari.
So, another option is to serve the EPUB content documents from a
different origin than the HTML that hosts the iframes. As it turns
out, that's typically what a native ReadiumSDK launcher does (e.g. OSX
app-bundle file:// URL for reader.html, or special readium-sdk:// URL
scheme, versus the http://127.0.0.1 content URLs). The problem is that
the aforementioned requirements (1) (2) and (3) may not be functioning
properly, I have not checked yet (baring in mind the possible
inconsistencies between regular web browsers and UIWebView / embedded
WebKit control).
I'm not sure how high this issue is on the priority list, but I
thought I'd start a conversation on the mailing-list. I hope that a
more web-savvy dev can take ownership ;)
Cheers, Daniel
I wrote an additional test for epub-testsuite (#160), comments welcome.This is work in progress, in separate GitFlow "feature" branch:https://github.com/mgylling/epub-testsuite/tree/feature/RS_integrity/content/30/epub30-test-0160Notes:Both ReadiumJS viewer and Chrome-extension fail.Readium-Launcher_OSX passes (I think that Readium-Launcher_iOS passes as well, but I need to double-check). iBooksX passes (not tried iBooks-iOS yet).
ReadiumLauncher-OSX passes the test thanks to the fact that the native application serves the reader.html "bootstrapper" (thin HTML wrapper) from file://APP-BUNDLE, whereas the iframe'd EPUB content is served from a different origin (via the readiumsdk://PACKAGE_UID URI scheme).
I've checked in a feature branch in the iOS launcher to play around with this:feature/nsurl-protocolInstead of serving everything from 127.0.0.1, reader.html and friends (readium-shared-js, etc.) are served via NSURLProtocol (which the app intercepts and provides content for directly), whereas the EPUB contents are served from 127.0.0.1 (where SimpleHTTPServer provides the content).Things don't work, which I guess is to be expected, although I'm not as familiar with the inner workings of the JavaScript code to know exactly why things are breaking down. The content is getting fetched and served via NSURLProtocol and SimpleHTTPServer, and the UI displays a toolbar with the correct pagination info (demonstrating JavaScript events correctly bubbling up to the native layer), but the content in the web view is blank.One change I made in media_overlay_data_injector.js is not checked in, but here's the diff (old on left):This was to work around $iframe[0].contentDocument being null (just testing simple, non-MO documents)... just a stopgap.Boris, Daniel, anyone else, please feel free to experiment to see if there might be a way to make this hybrid NSURLProtocol/SimpleHTTPServer work.- Shane
--
You received this message because you are subscribed to the Google Groups "readium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to readium-dev...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.