Remove wrapper object reference before loading iframe to enhance security

2023-12-14 04:33:03 +01:00 · 2018-02-21 03:03:01 +01:00 · 2018-02-21 03:03:01 +01:00 · fd56ddaa54
parent c438b9f8a5
commit fd56ddaa54
2 changed files with 8 additions and 2 deletions
--- a/src/Ui/media/Wrapper.coffee
+++ b/src/Ui/media/Wrapper.coffee
@ -398,6 +398,12 @@ class Wrapper
 			@log "Setting title to", window.document.title


+	onWrapperLoad: =>
+		# Cleanup secret variables
+		delete window.wrapper
+		delete window.wrapper_key
+		$("#script_init").remove()
+
 	# Send message to innerframe
 	sendInner: (message) ->
 		@inner.postMessage(message, '*')
--- a/src/Ui/template/wrapper.html
+++ b/src/Ui/template/wrapper.html
@ -54,7 +54,7 @@ if (window.self !== window.top && document.execCommand) document.execCommand("St
 <iframe src='about:blank' id='inner-iframe' sandbox="allow-forms allow-scripts allow-top-navigation allow-popups allow-modals {sandbox_permissions}" allowfullscreen="true" webkitallowfullscreen="true" mozallowfullscreen="true" oallowfullscreen="true" msallowfullscreen="true"></iframe>

 <!-- Site info -->
-<script>
+<script id="script_init">
 document.getElementById("inner-iframe").src = "about:blank"
 document.getElementById("inner-iframe").src = "{file_url}{query_string}"
 address = "{address}"
@ -71,6 +71,6 @@ if (typeof WebSocket === "undefined")
 	document.body.innerHTML += "<div class='unsupported'>Your browser is not supported please use <a href='http://outdatedbrowser.com'>Chrome or Firefox</a>.</div>";
 </script>
 <script type="text/javascript" src="/uimedia/all.js?rev={rev}&lang={lang}"></script>
-
+<script>setTimeout(window.wrapper.onWrapperLoad, 1)</script>
 </body>
 </html>