Add "rootUrl" setting, use updated session response structure

Since [email protected], session response has "path" field instead of "url", thus the need to prepend frame URL with root URL from settings. Also, added "allowCrossOrigin" setting (true by default). Added console error if cross-origin framing is attempted.
alexander-klimov · Sep 16, 2019 · 99ae5d6 · 99ae5d6
1 parent f791ba1
commit 99ae5d6
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 12 deletions.
diff --git a/index.html b/index.html
@@ -33,7 +33,9 @@ <h2>Example #4: Gets the padContents from Example #2</h2>
         <h2>Available options and parameters</h2>
         <pre>
                'host'             : 'http://beta.etherpad.org', // the host and port of the Etherpad instance, by default the foundation will host your pads for you
+               'rootUrl'          : 'http://beta.etherpad.org', // the host and port of the Etherpad instance, serves for pad URL construction after creating a session (can have sub-context)
                'baseUrl'          : '/p/',                      // The base URL of the pads
+               'allowCrossOrigin' : false,                      // Allow cross-origin framing or not (Etherpad instance can be on another host).
                'showControls'     : false,                      // If you want to show controls IE bold, italic, etc.
                'showChat'         : false,                      // If you want to show the chat button or not
                'showLineNumbers'  : false,                      // If you want to show the line numbers or not
@@ -49,6 +51,7 @@ <h2>Available options and parameters</h2>
                'borderStyle'      : 'solid'                     // The CSS style of the border [none, dotted, dashed, solid, double, groove, ridge, inset, outset]
                'plugins'          : {},                         // The options related to the plugins, not to the basic Etherpad configuration
                'rtl'              : false                       // Show right to left text
+               'sessionSettings'  : {}                          // Session settings (apiKey, userName, userId, groupId, validUntil, padName)
         </pre>
 
 	<script type="text/javascript">

diff --git a/js/etherpad.js b/js/etherpad.js
@@ -3,7 +3,9 @@
   $.fn.pad = function( options ) {
     var settings = {
       'host'              : 'http://beta.etherpad.org',
+      'rootUrl'           : 'http://beta.etherpad.org',
       'baseUrl'           : '/p/',
+      'allowCrossOrigin'  : false,
       'showControls'      : false,
       'showChat'          : false,
       'showLineNumbers'   : false,
@@ -24,7 +26,7 @@
       'rtl'               : false,
       // custom settings
       'isGroupPad'        : '',
-      'sessionSettings'     : {}
+      'sessionSettings'   : {}
     };
 
     var $self = this;
@@ -41,13 +43,13 @@
       }
 
       var pluginParams = '';
-      for(var option in settings.plugins) {
+      for (var option in settings.plugins) {
         pluginParams += '&' + option + '=' + settings.plugins[option];
       }
 
       var iFrameLink = '<iframe id="' + epframeId;
       iFrameLink += '" name="' + epframeId;
-      if(settings.sessionSettings.hasOwnProperty("apiKey")) {
+      if (settings.sessionSettings.hasOwnProperty("apiKey")) {
         iFrameLink += '" src="' + settings.host + '/auth_session';
         iFrameLink += '?apiKey=' + settings.sessionSettings.apiKey;
         iFrameLink += '&authorName=' + encodeURIComponent(settings.sessionSettings.userName);
@@ -61,7 +63,7 @@
         }
         iFrameLink += '&';
       } else {
-        iFrameLink += '" src="' + settings.host + settings.baseUrl + settings.padId;
+        iFrameLink += '" src="' + settings.rootUrl + settings.baseUrl + settings.padId;
         iFrameLink += '?';
       }
       iFrameLink += 'showControls=' + settings.showControls;
@@ -124,20 +126,24 @@
         }
 
         var receiveMessage = function(event) {
-          var origin = (event.originalEvent.origin + "/").replace(/([^:]\/)\/+/g, "$1");
-          var host = (settings.host + "/").replace(/([^:]\/)\/+/g, "$1");
-          if (origin !== host)
+          var evt = event.originalEvent || event,
+              data = evt.data,
+              origin = (evt.origin + "/").replace(/([^:]\/)\/+/g, "$1"),
+              host = (settings.host + "/").replace(/([^:]\/)\/+/g, "$1");
+
+          if (!settings.allowCrossOrigin && origin !== host) {
+            console.error('Cross-origin framing is not allowed.');
             return;
+          }
 
-          var data = event.originalEvent.data;
-          if(data.action === 'redirect') {
-            if(isLocalStorageAvailable) {
+          if (data.action === 'redirect') {
+            if (isLocalStorageAvailable) {
               localStorage.setItem('epSessionID', data.sessionID);
               localStorage.setItem('epSessionValidUntil', data.validUntil);
             }
-            epFrame.attr('src', data.url);
+            epFrame.attr('src', settings.rootUrl + data.path);
           }
-          if(data.action === 'refreshSession' && isLocalStorageAvailable) {
+          if (data.action === 'refreshSession' && isLocalStorageAvailable) {
             localStorage.removeItem('epSessionID');
             localStorage.removeItem('epSessionValidUntil');
             var regexp = /^((?:.+&)|\?)(sessionID=s\.[^&]+)(?:$|(?:&(.+)))/g;