CEF Forum

Forum for support and discussion of the Chromium Embedded Framework (CEF)
https://www.magpcss.org/ceforum/

Executing only trusted javascript

https://www.magpcss.org/ceforum/viewtopic.php?f=6&t=18771

Page 1 of 1

Executing only trusted javascript

PostPosted: Wed Dec 01, 2021 12:17 pm
by plq
Hello,

We are using CEF as the html engine in our soon-to-be-released email client. We are currently running with JS disabled (CefBrowserSettings::javascript = STATE_DISABLED) but it looks like we need to enable it to get:

1. auto resizing iframes (eg. https://www.magpcss.org/ceforum/viewtopic.php?f=6&t=333)
2. link hover events (eg. viewtopic.php?f=6&t=11160)

Is there a way to make sure no javascript from the loaded document is executed? Stuff I wouldn't want to do, in order:

1. Patch CEF
2. Kill a puppy
3. Try to strip the document from all javascript code before loading it. (man this is ugly... please don't suggest this :/)

For example, Is there a way to have javascript enabled on the main frame but disabled in the sub <iframe>s? Or any other ideas?

Thanks!

Re: Executing only trusted javascript

PostPosted: Wed Dec 01, 2021 4:42 pm
by magreenblatt
Yes, iframes can be sandboxed. See https://developer.mozilla.org/en-US/doc ... tr-sandbox

Re: Executing only trusted javascript

PostPosted: Wed Dec 01, 2021 4:59 pm
by plq
Thanks for the link. Would it be possible to get hover events from sandboxed iframes? I guess the alternative is: https://bitbucket.org/chromiumembedded/cef/issues/783 ? How difficult is it?

Re: Executing only trusted javascript

PostPosted: Wed Dec 01, 2021 5:16 pm
by magreenblatt
What do you intend to do with the hover events?

Re: Executing only trusted javascript

PostPosted: Wed Dec 01, 2021 5:21 pm
by plq
I just want to show the link target when the user hovers on a link in the html document. Just like a regular browser does.

Re: Executing only trusted javascript

PostPosted: Thu Dec 02, 2021 4:30 am
by ndesktop
CefDisplayHandler::OnStatusMessage should be better, since it serves all status messages, not only hovered URLs.
You can, however, filter only the strings having a registered scheme prefix or something like this.

Re: Executing only trusted javascript

PostPosted: Thu Dec 02, 2021 5:27 am
by plq
It looks like I totally overlooked CefDisplayHandler::OnStatusMessage, thanks a lot for pointing it out. As we have HTTP disabled and there's not much else to filter I think it'll do the job nicely.

So to recapitulate, to execute only trusted javascript, load your non-trusted document in an iframe like so:

Code: Select all
<iframe style="pointer-events: none;" sandbox src="..." ></iframe>


and use javascript as described in https://bitbucket.org/chromiumembedded/ ... ntegration on your main frame.

Having style="pointer-events: None" seemingly protects against dragging operation started outside of iframe being stopped when the curser goes over the iframe. See here for more info: https://www.gyrocode.com/articles/how-t ... e-element/

My web tech knowledge is quite rusty so do your own researchâ„¢ about these.

Thanks all for your help
All times are UTC - 5 hours
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/