WebDialog.set_html fails under Safari 5.0.6

Dan Rathbun · 3 Sept 2011, 16:07

@dan rathbun said:

P.S. : I wonder if Mac Sketchup changes any of these Safari security policies when it installs, ...

Never been a problem before... Something must have changed at 5.0.6.

Meaning, you have upgraded Safari a number of times in the past, without causing adverse effects on Sketchup WebDialogs ??

Dan Rathbun · 3 Sept 2011, 16:08

And can someone check the Apple Bug site.. to see if anyone else has filed a local resource regression bug for 5.0.6 ??

TIG · 3 Sept 2011, 16:17

Could this be the 'security update' that's messing it up?
@unknownuser said:

WebKit in Apple Safari before 5.0.6 has improper libxslt security settings, which allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via a crafted web site. NOTE: this may overlap CVE-2011-1425.
http://www.cvedetails.com/cve/CVE-2011-1774/ http://support.apple.com/kb/ht4808

Dan Rathbun · 3 Sept 2011, 16:34

Refering to my earlier post on Security Policies, I went thru the Apple Developer Library, and the Webkit.org docs, looking for a similar policy list to the Chrome list. Could not find anything. (Sheesh.. I hate that Apple website, so hard to find anything.)

Has anyone checked to see if Safari has a manifest file like Chrome, with policy settings ??

thomthom · 3 Sept 2011, 18:03

@dan rathbun said:

@thomthom said:

@dan rathbun said:

P.S. : I wonder if Mac Sketchup changes any of these Safari security policies when it installs, ...

Never been a problem before... Something must have changed at 5.0.6.

Meaning, you have upgraded Safari a number of times in the past, without causing adverse effects on Sketchup WebDialogs ??

Yes, at least not in terms of permissions. Updating Safari off course means updated render engine, like when you update IE. But never have I experienced blocking changes like this.

thomthom · 3 Sept 2011, 18:56

Summary
In order to link to local resources in webdialogs one has to use file:/// prefix.

Problem arise under OSX with Safari 5.0.6 or higher: local resources are not allowed to be accessed any more. Images, CSS and JS will not load. External resources do work though.

What might be happening:
Under windows when you use webdialog.set_html, document.location will report a file located in the user's temp folder.
Under OSX on the other hand, document.location reports about:blank. So it appear to be feeding the HTML to the webdialog differently from Windows.

The current theory to why .set_html fails in 5.0.6 is that a security issue has been closed where about:blank pages where used to gain access to the local resources. Due to the design differences between Windows and OSX .set_html now fails to load local resources.

Workaround
Here is a quick bare bone wrapper class:
%(#BF0000)[Issue
Under OSX the garbage collector is not triggered upon SketchUp exit - so any webdialogs that's not been garbage collected will leave their temp files behiond. Looking into the matter...]

<span class="syntaxdefault"><br /></span><span class="syntaxcomment"># Custom WebDialog wrapper that works around problems with WebDialog#set_html<br /># under OSX after Safari 5.0.6 is installed.<br />#<br /># Example is bare bone without any error checking. Expand as you find fit.<br /></span><span class="syntaxdefault">class WebDialogPatch </span><span class="syntaxkeyword"><</span><span class="syntaxdefault"> UI</span><span class="syntaxkeyword">;;</span><span class="syntaxdefault">WebDialog<br /><br />  </span><span class="syntaxcomment"># @note Safari 5.0.6 made .set_html unusable under OSX because any links to<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment">#   resources ( Images, CSS, JS ) on the local computer failed to load.<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment">#   Previously it would work when you spesified file;/// but now it is denied.<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @param [String] html_string<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault">  def set_html</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> html_string </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># Clean up any old temp file.<br /></span><span class="syntaxdefault">    cleanup_temp_file</span><span class="syntaxkeyword">()<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># Finalizer is attached to the webdialog so when it gets garbage collected<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># temp file is erased.<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># <br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># The temp filename needs to be different from the last on in order for the<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># html to be loaded. If the name is the same the content is not refreshed.<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># For both the temp directory and temp file handling with better error<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># handling it'd probably best to port `tmpdir.rb` and `tempfile.rb` from<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># the Standard Ruby Library.<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># http://www.ruby-doc.org/stdlib-1.8.6/<br /></span><span class="syntaxdefault">    tempdir </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">expand_path</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> ENV</span><span class="syntaxkeyword">[</span><span class="syntaxstring">'TMPDIR'</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">||</span><span class="syntaxdefault"> ENV</span><span class="syntaxkeyword">[</span><span class="syntaxstring">'TMP'</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">||</span><span class="syntaxdefault"> ENV</span><span class="syntaxkeyword">[</span><span class="syntaxstring">'TEMP'</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    unique_seed </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"#{self.object_id}#{Time.now.to_i}"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">hash</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">abs<br />    filename </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"webdialog_#{unique_seed}.html"<br /></span><span class="syntaxdefault">    </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">join</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> tempdir</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    cleanup_proc </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> self</span><span class="syntaxkeyword">.class.</span><span class="syntaxdefault">cleanup_temp_file</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">dup </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    ObjectSpace</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">define_finalizer</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> self</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> cleanup_proc </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># Write the HTML content out to the temp file.<br /></span><span class="syntaxdefault">    File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">open</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> </span><span class="syntaxstring">'w'</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">|</span><span class="syntaxdefault">file</span><span class="syntaxkeyword">|<br /></span><span class="syntaxdefault">      file</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">write</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> html_string </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault">    set_file_original</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    nil<br />  end<br />  <br />  </span><span class="syntaxcomment"># @tempfile is set to `nil` when using #set_file and #set_url so the temp file<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># will be deleted. Since the #set_html wrapper uses #set_file it must be<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># aliased<br /></span><span class="syntaxdefault">  unless private_method_defined</span><span class="syntaxkeyword">?(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file_original </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    </span><span class="syntaxcomment"># Prevent redefining in case of script reloading which cause infinite loop.<br /></span><span class="syntaxdefault">    alias </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file_original </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file<br />    private </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file_original<br />  end<br />  </span><span class="syntaxcomment"># @param [String] filename<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault">  def set_file</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    cleanup_temp_file</span><span class="syntaxkeyword">()<br /></span><span class="syntaxdefault">    set_file_original</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">  end<br />  <br />  </span><span class="syntaxcomment"># @param [String] url<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault">  def set_url</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> url </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    cleanup_temp_file</span><span class="syntaxkeyword">()<br /></span><span class="syntaxdefault">    super<br />  end<br />  <br />  </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault">  def cleanup_temp_file<br />    if </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile<br />      ObjectSpace</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">undefine_finalizer</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">      File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">delete</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> if File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">exist</span><span class="syntaxkeyword">?(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    end<br />    </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> nil<br />  end<br />  private </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">cleanup_temp_file<br />  <br />  </span><span class="syntaxcomment"># @private<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @see #set_html<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @see http://www.mikeperham.com/2010/02/24/the-trouble-with-ruby-finalizers/<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @param [String] filename<br /></span><span class="syntaxdefault">  </span><span class="syntaxcomment"># @return [Proc]<br /></span><span class="syntaxdefault">  def self</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">cleanup_temp_file</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault">    proc </span><span class="syntaxkeyword">{</span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">delete</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> if File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">exist</span><span class="syntaxkeyword">?(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault">  end<br />  <br />end </span><span class="syntaxcomment"># class<br /></span><span class="syntaxdefault"> </span>

Revision 3

driven · 3 Sept 2011, 20:21

a couple observation while trying to get my head around all of this.

firstly, in Apples and probably Googles eyes the title of this thread should probably be 'WebDialog.set_html finally works as expected under Safari 5.0.6'. It does not appear to be not considered a 'bug', but a security enhancement.

It seems to have been implemented in Safari 4, to stop about:blank pages pirating local files and that some problem/oversite has allowed files:/// and other anonymous url's to work with about:blank pages in SU WebDialog and other WebView apps.

I have a number of html editors and they use temp files written to the relative folder, so if I try to edit index.html (for example) all the links, src's, url's, etc.. all remain relative and are considered safe. if I open the temp from a different folder I get load errors.

Although I know temp files can be anywhere (with corrected links) I think they should be in the originating plugins subfolder if they are unavoidable.

I also think bypassing 'about:blank' completely by having an actual html file that is then updated dynamically is also preferable.

but, since I'm not writing the rubies, time permitting, I'll test whatever you want to try.

john

thomthom · 3 Sept 2011, 21:15

I'm implementing a workaround where I manually use a temp file and .set_file into a patch I hope to release very soon.

It seems that at implementation level of .set_html differs from OSX and Windows. Where under Windows they create a temp file and feed that file to the web control. Where under OSX this is not the case, which is why we get about:blank and therefore get affected by strengthens security controls.

Dan Rathbun · 3 Sept 2011, 21:19

That's nice but it will depend on your Library ?

Has anyone logged this with Google ?? I'd think they'd wish to release patches if Safari 5.0.6 will break WebDialogs on all Mac versions.

thomthom · 3 Sept 2011, 21:21

@dan rathbun said:

That's nice but it will depend on your Library ?

Has anyone logged this with Google ?? I'd think they'd wish to release patches if Safari 5.0.6 will break WebDialogs on all Mac versions.

The only thing you need to implement is TT::System.temp_path which returns the temp directory. Other than that, the code snipped I posted is standalone.

thomthom · 3 Sept 2011, 22:30

Fixed a small bug in the sample code.

Dan Rathbun · 3 Sept 2011, 23:02

Not personal.. but I'd prefer to rely on "tmpdir.rb" in the Standard Lib.

thomthom · 4 Sept 2011, 04:54

@dan rathbun said:

Not personal.. but I'd prefer to rely on "tmpdir.rb" in the Standard Lib.

Sure, it's just a bare bone example. In fact, it'd probably be best to use tempfile.rb to create the temp file as well.

thomthom · 4 Sept 2011, 06:12

I did some further testing I found some issues which I addressed in my example: http://forums.sketchucation.com/viewtopic.php?f=180&t=39842&p=352375#p352375

.set_file doesn't cause the content of the webdialog to update if the filename is the same. So I made the example generate a new file with a unique seed in the filename to ensure it's updated.

.set_file and .set_url now immediately cleans up the temp file if .set_html was used prior.

No more references to my TT_Lib in the example.

Linked to the Standard Lib in the comments for more robust temp file handlers.

Dan Rathbun · 4 Sept 2011, 06:35

Can these meta tags be injected to prevent caching:
%(#8000BF)[<META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1">]

ref: How to prevent caching in Internet Explorer

thomthom · 4 Sept 2011, 06:59

@dan rathbun said:

Can these meta tags be injected to prevent caching:
%(#8000BF)[<META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1">]

ref: How to prevent caching in Internet Explorer

I did consider sending a refresh comment to JS, but I figured I'd follow the pattern of how .set_html works on Windows, which is creating a temp file with a unique name.

Dan Rathbun · 4 Sept 2011, 07:41

@dan rathbun said:

Has anyone logged this with Google ?? I'd think they'd wish to release patches if Safari 5.0.6 will break WebDialogs on all Mac versions.

TT ?

thomthom · 4 Sept 2011, 08:15

I've not logged anything yet. Been bugging a couple to see if they could shed some light.

thomthom · 4 Sept 2011, 08:21

Driven: I implemented a patch. Update to TT_Lib 2.5.5
http://forums.sketchucation.com/viewtopic.php?f=323&t=30503

fredo6 · 4 Sept 2011, 09:11

To all,

Can we summarize what is the problem and what could be the workaround.

From what Driven has signaled, there are problems in both 5.0.3 and 5.0.6 Safari versions.

Also it would be good to hear from the Google SU Team, as they can perfectly implement a central solution that makes set_htmlwork.

Fredo