iframe lacks allow attribute to use navigator.clipboard in Chrome #3474
Comments
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 16, 2024
…d#3474) As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit.
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 16, 2024
…d#3474) As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <[email protected]>
|
Proposed fix: #3475 |
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 19, 2024
…d#3474) As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <[email protected]>
eszkadev
added a commit
that referenced
this issue
Feb 19, 2024
fix: emit allow attribute on iframe for the clipboard (fixes #3474)
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 20, 2024
…nextcloud#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Feb 20, 2024
…nextcloud#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <[email protected]>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <[email protected]>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <[email protected]>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
…#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <[email protected]>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
…#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <[email protected]>
backportbot bot
pushed a commit
that referenced
this issue
Feb 20, 2024
…#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <[email protected]>
juliusknorr
added a commit
that referenced
this issue
Feb 20, 2024
[stable28] fix: emit allow attribute on iframe for the clipboard (fixes #3474)
juliusknorr
added a commit
that referenced
this issue
Feb 27, 2024
[stable27] fix: emit allow attribute on iframe for the clipboard (fixes #3474)
This was referenced Feb 29, 2024
Closed
vmiklos
added a commit
to vmiklos/nextcloud-richdocuments
that referenced
this issue
Oct 16, 2024
…, too (fixes nextcloud#3474) The CA chain for the document signing was already a user setting & it was exposed in the WOPI CheckFileInfo, but the actual signing certificate & key was missing, so signing was not possible. These are typically in a similar PEM format using just ASCII characters, so providing a textarea where the user can paste them sounds like a good fit. Add the read/write of this setting and also expose it as part of the private user info in WOPI CheckFileInfo. With this, once all 3 are configured, it's possible to sign a document in Nextcloud Office, using the Signature button on the Home tab of the notebookbar.
|
Ignore the above commit, bad issue number, sorry. |
hcvcastro
pushed a commit
to hcvcastro/nextcloud-richdocuments
that referenced
this issue
Nov 21, 2024
…d#3474) As described at <https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes> newer Chrome requires explicit markup for code in an iframe to execute JS that requires permissions, like clipboard. If this markup is missing, then the user won't be even asked. Use the wildcard syntax, because the COOL JS code in the iframe is not the initial src attribute value of the iframe, it gets changed later. With this, a permission popup on paste shows up in Chrome even if the paste is perssed on the notebookbar, even if nextcloud is served from one domain and COOL is served from an other domain. This fixes the document edit case; possibly it should be also added at all other places where the allowfullscreen attribute is used, which is not done in this commit. Signed-off-by: Miklos Vajna <[email protected]>
hcvcastro
pushed a commit
to hcvcastro/nextcloud-richdocuments
that referenced
this issue
Nov 21, 2024
…nextcloud#3474) The unhandled cases were: - read-only view - view a past revision - for completeness, also adapt the iframe in files.js Signed-off-by: Miklos Vajna <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Recent online.git tries to use navigator.clipboard in Chrome for better paste and paste special when you use the notebookbar buttons and not the keyboard. This works when COOL is running standalone, but not when nextcloud is served from one domain and COOL is from an other domain, due to how Chrome restricts cross-origin iframes.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A Chrome popup asks if reading from the clipboard should be allowed.
Actual behavior
Nothing happens, unless nextcloud and COOL is served from the same domain.
Screenshots
The developer console shows this:
"navigator.clipboard.read() failed: The Clipboard API has been blocked because of a permissions policy applied to the current document. See https://goo.gl/EuHzyv for more details."
Other details
Probably the fix is to emit an
allow="clipboard-read *; clipboard-write *"attribute on the iframe element in src/view/Office.vue, will submit a PR to do that. At least that makes the clipboard popup show and after granting the permission, paste works in Chrome.The text was updated successfully, but these errors were encountered: