...because the file:// URI scheme / protocol cannot be used anymore for serving reader.html from the app-bundle (alongside HTTP://IP:PORT for serving the EPUB content documents). This also means that using different origins will bi-bidirectionally sandbox the iframe, preventing the Readium rendering engine (readium-shared-js) to perform some behaviour injection such as Media Overlays playback, annotations, etc.
Note that window.top / parent / frameElement.ownerDocument.defaultView cannot reliably be used to plug the security holes, so we removed them from the cloud reader and chrome extension.
danielweck
commented
9 years ago
...because the
file://URI scheme / protocol cannot be used anymore for servingreader.htmlfrom the app-bundle (alongsideHTTP://IP:PORTfor serving the EPUB content documents). This also means that using different origins will bi-bidirectionally sandbox the iframe, preventing the Readium rendering engine (readium-shared-js) to perform some behaviour injection such as Media Overlays playback, annotations, etc.See: https://docs.google.com/document/d/1GK1aVsrTv23WroBWMX-XiwYtXbq6huW_pK8QXRaY6XQ/
Note that
window.top / parent / frameElement.ownerDocument.defaultViewcannot reliably be used to plug the security holes, so we removed them from the cloud reader and chrome extension.