Serving private HTML in an iframe #184
Comments
|
An additional issue related to this is that since dokeli is the default pane for HTML, this confusing screen is what will be shown first. |
|
A possible security issue - the HTML would inherit SolidOS permissions. |
|
The simplest solution is to make the source pane the default pane for HTML. We could also make the human-readable pane the default if we changed it so that it used an authenticated fetch + |
|
In general more readable views like formatted text should take precedence over raw views like plain text. I guess we treat all HTML files the same whether dokieli or not. Is that part of the problem? |
|
@timbl - it's the iframe that is the problem, not specifically dokeli - it impacts all HTML incuding in the human-readable pane too. Agree, we should prefer the most readable format first. One solution is to use srcDoc with a sanitized version of the HTML in the human readable pane and make it the default pane for HTML. That way, users would see the HTML page (minus javascript and web components) as the default view and if they want to edit, they can use either dokeli or the source pane. |
|
I'm not sure I quite understand the difference between the dokieli and source panes. While unauthenticated, when I input https://jeff-zucker.solidcommunity.net/private/hidden.html into Viewing field, I see the dokieli pane opening up (because it is set to default?) but the server returns a 401 with payload containing the SolidOS Web App HTML (which has JS etc.) and what I see is same as the screenshots you've shared. For the source pane, I get a 401 too and it looks like this:
Correct me if I'm misunderstood you but are you saying that while one may be authenticated from https://solidos.github.io/mashlib/dist/browse.html and can view https://jeff-zucker.solidcommunity.net/private/hidden.html with the source pane, it doesn't load up in dokieli pane? I couldn't reproduce this as I've created https://csarven.solidcommunity.net/hidden.html and gave Read permissions to only myself. I was able to view it both dokieli and source panes. When I'm not authenticated, I get a 401 in both. Regarding But yes the contents in which that resource originates from is already fetched. So, it is not doing dynamic rendering (on page load) like with Happy to discuss / share more notes on this elsewhere.. we are / will be going through all sorts of security stuff in dokieli soon / this year. Aside: this seems like a bug ?
|
|
@csarven wrote
Can you confirm that when accessed from the github webapp, you were able to see both the dokeli and source panes without logging in a second time in the dokeli pane? |
|
And that you used the webapp login button to login, not the dokeli one? |
|
Right, I only used the login from the top-level app at https://solidos.github.io/mashlib/dist/browse.html (nothing form the panes). But right now I can't even reproduce anything.. it shows me as signed in but getting 401 on the hidden. I've cleared cache/local storage everything and tried.. still no go. Also in private mode. I'm getting the bug / screenshot that I shared at the bottom of my comment above. |
When SolidOS is served on an origin different from the pod it is accessing (for example the SolidOS Webapp or Data-Kitchen, panes that use Iframes for HTML (dokeli, human-readable) will require a second login even if the user is already logged in as owner of the data. The images below show that that dokeli pane won't show the private HTML but the source pane will. The main page login applies to the location of SolidOS, while the iframe origin is that of the imported page.
With the source pane, I believe we can solve this issue by doing an authenticated GET on the HTML, and then displaying it in an iframe using the
srcDocattribute rather than thesrcattribute. UsingsrcDocmeans that the HTML is coming from the same origin as SolidOS so it should work even when SolidOS is on a different server. I am not sure if this solution would apply to dokeli.The text was updated successfully, but these errors were encountered: