search

turt2live / matrix-dimension

An open source integration manager for matrix clients, like Element.
https://dimension.t2bot.io
GNU General Public License v3.0
433 stars 110 forks source link

Custom Widget does not propagate outer iframe permissions. #380

Open freelance-bishop opened 4 years ago

freelance-bishop commented 4 years ago

To Reproduce

Step by step instructions to reproduce the behavior:

  1. Add a custom widget with a navigator.getUserMedia call.
  2. The call fails.

Expected behavior

The call should not fail.

Describe the bug

The hosted widget runs inside an iframe inside an iframe. The inner iframe is provided by dimension. That iframe does not have the same permissions as the outer iframe.

Details

The inner iframe that misses the permissions.

<iframe _ngcontent-eke-c3="" allowfullscreen="" frameborder="0" src="https://host:5000?matrixUserId=@admin:host&amp;matrixRoomId=!JHYRbuvelvNfezXHVr:host&amp;matrixDisplayName=admin&amp;matrixAvatarUrl=" class="ng-star-inserted"></iframe>

The outer iframe that is provided by riot:

`<iframe allow="microphone; camera; encrypted-media; autoplay; display-capture;" src="https://host:8184/widgets/generic?url=https%3A%2F%2Fhost%3A5000%3FmatrixUserId%3D%40admin%3Ahost%26matrixRoomId%3D%21JHYRbuvelvNfezXHVr%3Ahost%26matrixDisplayName%3Dadmin%26matrixAvatarUrl%3D&amp;widgetId=dimension-m.custom-1604434746704&amp;parentUrl=https%3A%2F%2Fhost%2F" allowfullscreen="" sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-presentation"></iframe>`

this has the iframe properties; allow="microphone; camera; encrypted-media; autoplay; display-capture;"

Version of Node.js: v10.16.0

Server Operating System: Docker image sha256:ae424db3dc6c734855461661586361bd7da4cbaa875bf352de988ac274b33e72 (turt2live/matrix-dimension)