WebDialog.set_html fails under Safari 5.0.6
-
Could this be the 'security update' that's messing it up?
@unknownuser said:WebKit in Apple Safari before 5.0.6 has improper libxslt security settings, which allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via a crafted web site. NOTE: this may overlap CVE-2011-1425.
http://www.cvedetails.com/cve/CVE-2011-1774/ http://support.apple.com/kb/ht4808 -
Refering to my earlier post on Security Policies, I went thru the Apple Developer Library, and the Webkit.org docs, looking for a similar policy list to the Chrome list. Could not find anything. (Sheesh.. I hate that Apple website, so hard to find anything.)
Has anyone checked to see if Safari has a manifest file like Chrome, with policy settings ??
-
@dan rathbun said:
@thomthom said:
@dan rathbun said:
P.S. : I wonder if Mac Sketchup changes any of these Safari security policies when it installs, ...
Never been a problem before... Something must have changed at 5.0.6.
Meaning, you have upgraded Safari a number of times in the past, without causing adverse effects on Sketchup WebDialogs ??
Yes, at least not in terms of permissions. Updating Safari off course means updated render engine, like when you update IE. But never have I experienced blocking changes like this.
-
Summary
In order to link to local resources in webdialogs one has to use file:/// prefix.Problem arise under OSX with Safari 5.0.6 or higher: local resources are not allowed to be accessed any more. Images, CSS and JS will not load. External resources do work though.
What might be happening:
Under windows when you usewebdialog.set_html
,document.location
will report a file located in the user's temp folder.
Under OSX on the other hand,document.location
reportsabout:blank
. So it appear to be feeding the HTML to the webdialog differently from Windows.The current theory to why
.set_html
fails in 5.0.6 is that a security issue has been closed where about:blank pages where used to gain access to the local resources. Due to the design differences between Windows and OSX.set_html
now fails to load local resources.Workaround
Here is a quick bare bone wrapper class:
%(#BF0000)[Issue
Under OSX the garbage collector is not triggered upon SketchUp exit - so any webdialogs that's not been garbage collected will leave their temp files behiond. Looking into the matter...]<span class="syntaxdefault"><br /></span><span class="syntaxcomment"># Custom WebDialog wrapper that works around problems with WebDialog#set_html<br /># under OSX after Safari 5.0.6 is installed.<br />#<br /># Example is bare bone without any error checking. Expand as you find fit.<br /></span><span class="syntaxdefault">class WebDialogPatch </span><span class="syntaxkeyword"><</span><span class="syntaxdefault"> UI</span><span class="syntaxkeyword">;;</span><span class="syntaxdefault">WebDialog<br /><br /> </span><span class="syntaxcomment"># @note Safari 5.0.6 made .set_html unusable under OSX because any links to<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># resources ( Images, CSS, JS ) on the local computer failed to load.<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># Previously it would work when you spesified file;/// but now it is denied.<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @param [String] html_string<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault"> def set_html</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> html_string </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># Clean up any old temp file.<br /></span><span class="syntaxdefault"> cleanup_temp_file</span><span class="syntaxkeyword">()<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># Finalizer is attached to the webdialog so when it gets garbage collected<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># temp file is erased.<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># <br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># The temp filename needs to be different from the last on in order for the<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># html to be loaded. If the name is the same the content is not refreshed.<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># For both the temp directory and temp file handling with better error<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># handling it'd probably best to port `tmpdir.rb` and `tempfile.rb` from<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># the Standard Ruby Library.<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># http://www.ruby-doc.org/stdlib-1.8.6/<br /></span><span class="syntaxdefault"> tempdir </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">expand_path</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> ENV</span><span class="syntaxkeyword">[</span><span class="syntaxstring">'TMPDIR'</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">||</span><span class="syntaxdefault"> ENV</span><span class="syntaxkeyword">[</span><span class="syntaxstring">'TMP'</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">||</span><span class="syntaxdefault"> ENV</span><span class="syntaxkeyword">[</span><span class="syntaxstring">'TEMP'</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> unique_seed </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"#{self.object_id}#{Time.now.to_i}"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">hash</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">abs<br /> filename </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"webdialog_#{unique_seed}.html"<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">join</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> tempdir</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> cleanup_proc </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> self</span><span class="syntaxkeyword">.class.</span><span class="syntaxdefault">cleanup_temp_file</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">dup </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> ObjectSpace</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">define_finalizer</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> self</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> cleanup_proc </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># Write the HTML content out to the temp file.<br /></span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">open</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> </span><span class="syntaxstring">'w'</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">|</span><span class="syntaxdefault">file</span><span class="syntaxkeyword">|<br /></span><span class="syntaxdefault"> file</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">write</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> html_string </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> set_file_original</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> nil<br /> end<br /> <br /> </span><span class="syntaxcomment"># @tempfile is set to `nil` when using #set_file and #set_url so the temp file<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># will be deleted. Since the #set_html wrapper uses #set_file it must be<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># aliased<br /></span><span class="syntaxdefault"> unless private_method_defined</span><span class="syntaxkeyword">?(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file_original </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># Prevent redefining in case of script reloading which cause infinite loop.<br /></span><span class="syntaxdefault"> alias </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file_original </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file<br /> private </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">set_file_original<br /> end<br /> </span><span class="syntaxcomment"># @param [String] filename<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault"> def set_file</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> cleanup_temp_file</span><span class="syntaxkeyword">()<br /></span><span class="syntaxdefault"> set_file_original</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> end<br /> <br /> </span><span class="syntaxcomment"># @param [String] url<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault"> def set_url</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> url </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> cleanup_temp_file</span><span class="syntaxkeyword">()<br /></span><span class="syntaxdefault"> super<br /> end<br /> <br /> </span><span class="syntaxcomment"># @return [Nil]<br /></span><span class="syntaxdefault"> def cleanup_temp_file<br /> if </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile<br /> ObjectSpace</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">undefine_finalizer</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">delete</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> if File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">exist</span><span class="syntaxkeyword">?(</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> end<br /> </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">tempfile </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> nil<br /> end<br /> private </span><span class="syntaxkeyword">;</span><span class="syntaxdefault">cleanup_temp_file<br /> <br /> </span><span class="syntaxcomment"># @private<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @see #set_html<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @see http://www.mikeperham.com/2010/02/24/the-trouble-with-ruby-finalizers/<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment">#<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @param [String] filename<br /></span><span class="syntaxdefault"> </span><span class="syntaxcomment"># @return [Proc]<br /></span><span class="syntaxdefault"> def self</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">cleanup_temp_file</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)<br /></span><span class="syntaxdefault"> proc </span><span class="syntaxkeyword">{</span><span class="syntaxdefault"> File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">delete</span><span class="syntaxkeyword">(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> if File</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">exist</span><span class="syntaxkeyword">?(</span><span class="syntaxdefault"> filename </span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> end<br /> <br />end </span><span class="syntaxcomment"># class<br /></span><span class="syntaxdefault"> </span>
-
a couple observation while trying to get my head around all of this.
firstly, in Apples and probably Googles eyes the title of this thread should probably be 'WebDialog.set_html finally works as expected under Safari 5.0.6'. It does not appear to be not considered a 'bug', but a security enhancement.
It seems to have been implemented in Safari 4, to stop about:blank pages pirating local files and that some problem/oversite has allowed files:/// and other anonymous url's to work with about:blank pages in SU WebDialog and other WebView apps.
I have a number of html editors and they use temp files written to the relative folder, so if I try to edit index.html (for example) all the links, src's, url's, etc.. all remain relative and are considered safe. if I open the temp from a different folder I get load errors.
Although I know temp files can be anywhere (with corrected links) I think they should be in the originating plugins subfolder if they are unavoidable.
I also think bypassing 'about:blank' completely by having an actual html file that is then updated dynamically is also preferable.
but, since I'm not writing the rubies, time permitting, I'll test whatever you want to try.
john
-
I'm implementing a workaround where I manually use a temp file and .set_file into a patch I hope to release very soon.
It seems that at implementation level of .set_html differs from OSX and Windows. Where under Windows they create a temp file and feed that file to the web control. Where under OSX this is not the case, which is why we get about:blank and therefore get affected by strengthens security controls.
-
That's nice but it will depend on your Library ?
Has anyone logged this with Google ?? I'd think they'd wish to release patches if Safari 5.0.6 will break WebDialogs on all Mac versions.
-
@dan rathbun said:
That's nice but it will depend on your Library ?
Has anyone logged this with Google ?? I'd think they'd wish to release patches if Safari 5.0.6 will break WebDialogs on all Mac versions.
The only thing you need to implement is
TT::System.temp_path
which returns the temp directory. Other than that, the code snipped I posted is standalone. -
Fixed a small bug in the sample code.
-
Not personal.. but I'd prefer to rely on "tmpdir.rb" in the Standard Lib.
-
@dan rathbun said:
Not personal.. but I'd prefer to rely on "tmpdir.rb" in the Standard Lib.
Sure, it's just a bare bone example. In fact, it'd probably be best to use
tempfile.rb
to create the temp file as well. -
I did some further testing I found some issues which I addressed in my example: http://forums.sketchucation.com/viewtopic.php?f=180&t=39842&p=352375#p352375
.set_file
doesn't cause the content of the webdialog to update if the filename is the same. So I made the example generate a new file with a unique seed in the filename to ensure it's updated..set_file
and.set_url
now immediately cleans up the temp file if.set_html
was used prior.No more references to my TT_Lib in the example.
Linked to the Standard Lib in the comments for more robust temp file handlers.
-
Can these meta tags be injected to prevent caching:
%(#8000BF)[<META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1">]
-
@dan rathbun said:
Can these meta tags be injected to prevent caching:
%(#8000BF)[<META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1">]
I did consider sending a refresh comment to JS, but I figured I'd follow the pattern of how
.set_html
works on Windows, which is creating a temp file with a unique name. -
@dan rathbun said:
Has anyone logged this with Google ?? I'd think they'd wish to release patches if Safari 5.0.6 will break WebDialogs on all Mac versions.
TT ?
-
I've not logged anything yet. Been bugging a couple to see if they could shed some light.
-
Driven: I implemented a patch. Update to TT_Lib 2.5.5
http://forums.sketchucation.com/viewtopic.php?f=323&t=30503 -
To all,
Can we summarize what is the problem and what could be the workaround.
From what Driven has signaled, there are problems in both 5.0.3 and 5.0.6 Safari versions.
Also it would be good to hear from the Google SU Team, as they can perfectly implement a central solution that makes
set_html
work.Fredo
-
@thomthom said:
I've not logged anything yet. Been bugging a couple to see if they could shed some light.
OK.. then your on "top of this"... I suppose "they'll" ask you to log a formal bug # if they don't do it themselves.
@Fredo.. agreed, and I hope they'll monitor this topic for ideas.
-
@unknownuser said:
Can we summarize what is the problem and what could be the workaround.
From what Driven has signaled, there are problems in both 5.0.3 and 5.0.6 Safari versions.I tried to summarize here: http://forums.sketchucation.com/viewtopic.php?f=180&t=39842&p=352375#p352375
Not sure about 5.0.3 - but there has been some discussions on how to format the URLs linking to local resources. We found that
file:///
worked on both platforms.
Advertisement