Add iframe sandboxing

2025-10-05 15:32:55 +02:00 · 2021-10-20 20:15:50 -07:00 · 2021-10-20 20:15:50 -07:00 · ab4dd46408
commit ab4dd46408
parent f632df7cb3
8 changed files with 18828 additions and 28 deletions
--- a/src/managers/continuous/index.js
+++ b/src/managers/continuous/index.js
@ -21,7 +21,8 @@ class ContinuousViewManager extends DefaultViewManager {
 			width: undefined,
 			height: undefined,
 			snap: false,
-			afterScrolledTimeout: 10
+			afterScrolledTimeout: 10,
+			allowScriptedContent: false
 		});

 		extend(this.settings, options.settings || {});
@ -38,7 +39,8 @@ class ContinuousViewManager extends DefaultViewManager {
 			layout: this.layout,
 			width: 0,
 			height: 0,
-			forceEvenPages: false
+			forceEvenPages: false,
+			allowScriptedContent: this.settings.allowScriptedContent
 		};

 		this.scrollTop = 0;
--- a/src/managers/default/index.js
+++ b/src/managers/default/index.js
@ -26,7 +26,8 @@ class DefaultViewManager {
 			writingMode: undefined,
 			flow: "scrolled",
 			ignoreClass: "",
-			fullsize: undefined
+			fullsize: undefined,
+			allowScriptedContent: false
 		});

 		extend(this.settings, options.settings || {});
@ -39,7 +40,8 @@ class DefaultViewManager {
 			method: this.settings.method, // srcdoc, blobUrl, write
 			width: 0,
 			height: 0,
-			forceEvenPages: true
+			forceEvenPages: true,
+			allowScriptedContent: this.settings.allowScriptedContent
 		};

 		this.rendered = false;
--- a/src/managers/views/iframe.js
+++ b/src/managers/views/iframe.js
@ -16,7 +16,8 @@ class IframeView {
 			layout: undefined,
 			globalLayoutProperties: {},
 			method: undefined,
-			forceRight: false
+			forceRight: false,
+			allowScriptedContent: false
 		}, options || {});

 		this.id = "epubjs-view-" + uuid();
@ -88,6 +89,12 @@ class IframeView {
 		// Back up if seamless isn't supported
 		this.iframe.style.border = "none";

+		// sandbox
+		this.iframe.sandbox = "allow-same-origin";
+		if (this.settings.allowScriptedContent && this.section.properties.indexOf("scripted") > -1) {
+			this.iframe.sandbox += " allow-scripts"
+		}
+
 		this.iframe.setAttribute("enable-annotation", "true");

 		this.resizing = true;
--- a/src/rendition.js
+++ b/src/rendition.js
@ -36,6 +36,8 @@ import ContinuousViewManager from "./managers/continuous/index";
 * @param {boolean} [options.resizeOnOrientationChange] false to disable orientation events
 * @param {string} [options.script] url of script to be injected
 * @param {boolean | object} [options.snap=false] use snap scrolling
+ * @param {string} [options.defaultDirection='ltr'] default text direction
+ * @param {boolean} [options.allowScriptedContent=false] enable running scripts in content
 */
 class Rendition {
 	constructor(book, options) {
@ -54,7 +56,8 @@ class Rendition {
 			resizeOnOrientationChange: true,
 			script: null,
 			snap: false,
-			defaultDirection: "ltr"
+			defaultDirection: "ltr",
+			allowScriptedContent: false
 		});

 		extend(this.settings, options);