Google Git
Sign in
gwt / gwt / f5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab^! / .
commitf5df41df4016cd2ce4e6a15a637dbe2ddc4f3fab[log] [tgz]
authorAleksandr Dobkin <dobkin@google.com>Wed May 17 16:39:26 2017 -0700
committerDaniel Kurka <dankurka@google.com>Fri May 19 17:32:44 2017 +0000
tree1fbd923ce83129f5ce4dd7135db37427473de3d1
parentc03a6396cce232c053fdd00b81eb11ea587d19e4 [diff]
Make installLocationIframe.js in GWT compatible with CSP.

This change removes "javascript:" assignment to src attribute of a
newly created an iframe. This is effectively a no-op but creates a CSP
violation.

Manually tested on IE8, 9, 10, 11 and Edge, and current Firefox and
Chrome.

Change-Id: I4d5a1e66efadabba102703e7ce90c01b06a9c45b
Review-Link: https://gwt-review.googlesource.com/#/c/18480/

diff --git a/dev/core/src/com/google/gwt/core/ext/linker/impl/installLocationIframe.js b/dev/core/src/com/google/gwt/core/ext/linker/impl/installLocationIframe.js
index fa9abad..59fca5c 100644
--- a/dev/core/src/com/google/gwt/core/ext/linker/impl/installLocationIframe.js
+++ b/dev/core/src/com/google/gwt/core/ext/linker/impl/installLocationIframe.js

@@ -31,22 +31,21 @@
   // Create the script frame, making sure it's invisible, but not
   // "display:none", which keeps some browsers from running code in it.
   var scriptFrame = $doc.createElement('iframe');
-  scriptFrame.src = 'javascript:""';
   scriptFrame.id = '__MODULE_NAME__';
   scriptFrame.style.cssText = 'position:absolute; width:0; height:0; border:none; left: -1000px;'
     + ' top: -1000px;';
   scriptFrame.tabIndex = -1;
   $doc.body.appendChild(scriptFrame);
 
-  frameDoc = scriptFrame.contentDocument;
-  if (!frameDoc) {
-    frameDoc = scriptFrame.contentWindow.document;
-  }
+  frameDoc = scriptFrame.contentWindow.document;
 
-  // The missing content has been seen on Safari 3 and firebug will
-  // behave incorrectly on soft refresh unless we explicitly set the content
-  // of the frame. However, we don't want to do this when runAsync calls
-  // installCode, so we do it here when we create the iframe.
+  // The following code is needed for proper operation in Firefox, Safari, and
+  // Internet Explorer.
+  //
+  // In Firefox, this prevents the frame from re-loading asynchronously and
+  // throwing away the current document.
+  //
+  // In IE, it ensures that the <body> element is immediately available.
   frameDoc.open();
   var doctype = (document.compatMode == 'CSS1Compat') ? '<!doctype html>' : '';
   frameDoc.write(doctype + '<html><head></head><body></body></html>');