Fix iframes affected by sandbox regression

A hotfix was pushed out which strips the sandbox attribute from iframes. We should only strip it if the iframe was affected by the regression introduced with LS-743. Test Plan: Create a page Add the following iFrame content: <p><iframe src="https://docs.google.com/presentation/d/1X7DeC2XASzkjWsYX9eJuKid2Yxe_WxIksQP0mkYYl30/edit?usp=sharing" width="800" height="480" sandbox="allow-scripts allow-forms allow-same-origin"></iframe></p> Save. On the page, try requesting access. A confirm modal should appear. Change the page content to the following: <p><iframe src="https://docs.google.com/presentation/d/1X7DeC2XASzkjWsYX9eJuKid2Yxe_WxIksQP0mkYYl30/edit?usp=sharing" width="800" height="480" sandbox="allow-scripts allow-same-origin"></iframe></p> Save. On the page, try requesting access. The confirm modal should NOT appear and an error should be logged to the console. flag=none Refs CNVS-49914 Change-Id: I20d0763a7ccf6e73163cf9056fdfad72efa2448c Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/245002 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> QA-Review: Robin Kuss <rkuss@instructure.com> Product-Review: Alex Anderson <raanderson@instructure.com> Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
2020-08-13 15:44:47 -04:00 · 2020-08-13 15:44:47 -04:00 · dcc31d315e
parent 189cac4b32
commit dcc31d315e
1 changed files with 7 additions and 5 deletions
--- a/public/javascripts/instructure.js
+++ b/public/javascripts/instructure.js
@ -241,7 +241,9 @@ export function enhanceUserContent() {
  }, 10)
  // Remove sandbox attribute from user content iframes to fix busted
  // third-party content, like Google Drive documents.
-  document.querySelectorAll('.user_content iframe[sandbox]').forEach(frame => {
+  document
+    .querySelectorAll('.user_content iframe[sandbox="allow-scripts allow-forms allow-same-origin"]')
+    .forEach(frame => {
      frame.removeAttribute('sandbox')
      const src = frame.src
      frame.src = src