Executing only trusted javascript

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

Executing only trusted javascript

Postby plq » Wed Dec 01, 2021 12:17 pm

Hello,

We are using CEF as the html engine in our soon-to-be-released email client. We are currently running with JS disabled (CefBrowserSettings::javascript = STATE_DISABLED) but it looks like we need to enable it to get:

1. auto resizing iframes (eg. https://www.magpcss.org/ceforum/viewtopic.php?f=6&t=333)
2. link hover events (eg. viewtopic.php?f=6&t=11160)

Is there a way to make sure no javascript from the loaded document is executed? Stuff I wouldn't want to do, in order:

1. Patch CEF
2. Kill a puppy
3. Try to strip the document from all javascript code before loading it. (man this is ugly... please don't suggest this :/)

For example, Is there a way to have javascript enabled on the main frame but disabled in the sub <iframe>s? Or any other ideas?

Thanks!
plq
Techie
 
Posts: 11
Joined: Mon Oct 25, 2021 7:21 am

Re: Executing only trusted javascript

Postby magreenblatt » Wed Dec 01, 2021 4:42 pm

magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: Executing only trusted javascript

Postby plq » Wed Dec 01, 2021 4:59 pm

Thanks for the link. Would it be possible to get hover events from sandboxed iframes? I guess the alternative is: https://bitbucket.org/chromiumembedded/cef/issues/783 ? How difficult is it?
plq
Techie
 
Posts: 11
Joined: Mon Oct 25, 2021 7:21 am

Re: Executing only trusted javascript

Postby magreenblatt » Wed Dec 01, 2021 5:16 pm

What do you intend to do with the hover events?
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: Executing only trusted javascript

Postby plq » Wed Dec 01, 2021 5:21 pm

I just want to show the link target when the user hovers on a link in the html document. Just like a regular browser does.
plq
Techie
 
Posts: 11
Joined: Mon Oct 25, 2021 7:21 am

Re: Executing only trusted javascript

Postby ndesktop » Thu Dec 02, 2021 4:30 am

CefDisplayHandler::OnStatusMessage should be better, since it serves all status messages, not only hovered URLs.
You can, however, filter only the strings having a registered scheme prefix or something like this.
ndesktop
Master
 
Posts: 750
Joined: Thu Dec 03, 2015 10:10 am

Re: Executing only trusted javascript

Postby plq » Thu Dec 02, 2021 5:27 am

It looks like I totally overlooked CefDisplayHandler::OnStatusMessage, thanks a lot for pointing it out. As we have HTTP disabled and there's not much else to filter I think it'll do the job nicely.

So to recapitulate, to execute only trusted javascript, load your non-trusted document in an iframe like so:

Code: Select all
<iframe style="pointer-events: none;" sandbox src="..." ></iframe>


and use javascript as described in https://bitbucket.org/chromiumembedded/ ... ntegration on your main frame.

Having style="pointer-events: None" seemingly protects against dragging operation started outside of iframe being stopped when the curser goes over the iframe. See here for more info: https://www.gyrocode.com/articles/how-t ... e-element/

My web tech knowledge is quite rusty so do your own research™ about these.

Thanks all for your help
plq
Techie
 
Posts: 11
Joined: Mon Oct 25, 2021 7:21 am


Return to Support Forum

Who is online

Users browsing this forum: Google [Bot] and 41 guests