From fd56ddaa5405a77466b6f157729326fd12807746 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Wed, 21 Feb 2018 03:03:01 +0100
Subject: [PATCH] Remove wrapper object reference before loading iframe to
 enhance security

---
 src/Ui/media/Wrapper.coffee  | 6 ++++++
 src/Ui/template/wrapper.html | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Ui/media/Wrapper.coffee b/src/Ui/media/Wrapper.coffee
index 7868efbf..b8c172e4 100644
--- a/src/Ui/media/Wrapper.coffee
+++ b/src/Ui/media/Wrapper.coffee
@@ -398,6 +398,12 @@ class Wrapper
 			@log "Setting title to", window.document.title
 
 
+	onWrapperLoad: =>
+		# Cleanup secret variables
+		delete window.wrapper
+		delete window.wrapper_key
+		$("#script_init").remove()
+
 	# Send message to innerframe
 	sendInner: (message) ->
 		@inner.postMessage(message, '*')
diff --git a/src/Ui/template/wrapper.html b/src/Ui/template/wrapper.html
index 6f2c4741..b5bf1551 100644
--- a/src/Ui/template/wrapper.html
+++ b/src/Ui/template/wrapper.html
@@ -54,7 +54,7 @@ if (window.self !== window.top && document.execCommand) document.execCommand("St
 <iframe src='about:blank' id='inner-iframe' sandbox="allow-forms allow-scripts allow-top-navigation allow-popups allow-modals {sandbox_permissions}" allowfullscreen="true" webkitallowfullscreen="true" mozallowfullscreen="true" oallowfullscreen="true" msallowfullscreen="true"></iframe>
 
 <!-- Site info -->
-<script>
+<script id="script_init">
 document.getElementById("inner-iframe").src = "about:blank"
 document.getElementById("inner-iframe").src = "{file_url}{query_string}"
 address = "{address}"
@@ -71,6 +71,6 @@ if (typeof WebSocket === "undefined")
 	document.body.innerHTML += "<div class='unsupported'>Your browser is not supported please use <a href='http://outdatedbrowser.com'>Chrome or Firefox</a>.</div>";
 </script>
 <script type="text/javascript" src="/uimedia/all.js?rev={rev}&lang={lang}"></script>
-
+<script>setTimeout(window.wrapper.onWrapperLoad, 1)</script>
 </body>
 </html>