fix (iframe): cross domain iframe issue on safari

2025-10-27 19:53:41 +08:00 · 2024-09-06 17:23:15 +10:00
parent 8dc89e58fc
commit 1cbda3519f
7 changed files with 19 additions and 3 deletions
--- a/client/helpers/ajax.js
+++ b/client/helpers/ajax.js
@ -6,6 +6,7 @@ export function http_get(url, type = "json", params) {
        xhr.open("GET", url, true);
        xhr.withCredentials = true;
        xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest");
+        if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`);
        xhr.onerror = function() {
            handle_error_response(xhr, err);
        };
@ -51,6 +52,7 @@ export function http_post(url, data, type = "json", params) {
        xhr.open("POST", url, true);
        xhr.withCredentials = true;
        xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest");
+        if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`);
        if (data && type === "json") {
            data = JSON.stringify(data);
            xhr.setRequestHeader("Content-Type", "application/json");
@ -70,6 +72,10 @@ export function http_post(url, data, type = "json", params) {
                handle_error_response(xhr, err);
                return;
            }
+
+            const bearerToken = xhr.getResponseHeader("bearer");
+            if (bearerToken) window.BEARER_TOKEN = bearerToken;
+
            try {
                const data = JSON.parse(xhr.responseText);
                if (data.status !== "ok") {
@ -98,6 +104,7 @@ export function http_delete(url) {
        xhr.open("DELETE", url, true);
        xhr.withCredentials = true;
        xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest");
+        if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`);
        xhr.onerror = function() {
            handle_error_response(xhr, err);
        };
@ -129,6 +136,7 @@ export function http_options(url) {
        xhr.open("OPTIONS", url, true);
        xhr.withCredentials = true;
        xhr.setRequestHeader("X-Requested-With", "XmlHttpRequest");
+        if (window.BEARER_TOKEN) xhr.setRequestHeader("Authorization", `Bearer ${window.BEARER_TOKEN}`);
        xhr.onerror = function() {
            handle_error_response(xhr, err);
        };
--- a/client/pages/logout.js
+++ b/client/pages/logout.js
@ -8,6 +8,7 @@ function LogoutPageComponent({ error, history }) {
    useEffect(() => {
        Session.logout().then((res) => {
            cache.destroy();
+            delete window.BEARER_TOKEN;
            window.CONFIG["logout"] ?
                location.href = CONFIG["logout"] :
                history.push("/");
--- a/public/assets/lib/ajax.js
+++ b/public/assets/lib/ajax.js
@ -6,6 +6,7 @@ export default function(opts) {
    else if (typeof opts !== "object") throw new Error("unsupported call");
    if (!opts.headers) opts.headers = {};
    opts.headers["X-Requested-With"] = "XmlHttpRequest";
+    if (window.BEARER_TOKEN) opts.headers["Authorization"] = `Bearer ${window.BEARER_TOKEN}`;
    return ajax({ withCredentials: true, ...opts, responseType: "text" }).pipe(
        rxjs.map((res) => {
            const result = res.xhr.responseText;
--- a/public/assets/pages/connectpage/ctrl_form.js
+++ b/public/assets/pages/connectpage/ctrl_form.js
@ -198,7 +198,8 @@ export default async function(render) {
            return rxjs.of(null).pipe(
                rxjs.tap(() => toggleLoader(true)),
                rxjs.mergeMap(() => createSession(formData)),
-                rxjs.tap(({ responseJSON }) => { // TODO
+                rxjs.tap(({ responseJSON, responseHeaders }) => {
+                    if (responseHeaders.bearer) window.BEARER_TOKEN = responseHeaders.bearer; // fix https://support.apple.com/en-au/guide/safari/sfri40732/mac
                    let redirectURL = toHref("/files/");
                    const GET = getURLParams();
                    if (GET["next"]) redirectURL = GET["next"];
--- a/public/assets/pages/ctrl_logout.js
+++ b/public/assets/pages/ctrl_logout.js
@ -12,7 +12,10 @@ export default function(render) {

    effect(deleteSession().pipe(
        rxjs.mergeMap(setup_config),
-        rxjs.tap(() => window.CONFIG["logout"] ? location.href = window.CONFIG["logout"] : navigate(toHref("/"))),
+        rxjs.tap(() => {
+            delete window.BEARER_TOKEN;
+            window.CONFIG["logout"] ? location.href = window.CONFIG["logout"] : navigate(toHref("/"))
+        }),
        rxjs.catchError(ctrlError(render)),
    ));
 }
--- a/server/ctrl/session.go
+++ b/server/ctrl/session.go
@ -123,6 +123,9 @@ func SessionAuthenticate(ctx *App, res http.ResponseWriter, req *http.Request) {
 			index++
 		}
 	}
+	if Config.Get("features.protection.iframe").String() != "" {
+		res.Header().Set("bearer", obfuscate)
+	}
 	if home != "" {
 		SendSuccessResult(res, home)
 		return
--- a/server/routes.go
+++ b/server/routes.go
@ -100,7 +100,6 @@ func Build(a App) *mux.Router {
 	} else { // TODO: remove this after migration is done
 		r.PathPrefix(WithBase("/assets")).Handler(http.HandlerFunc(NewMiddlewareChain(ServeFile("/"), middlewares, a))).Methods("GET")
 		r.HandleFunc(WithBase("/favicon.ico"), NewMiddlewareChain(ServeFile("/assets/logo/"), middlewares, a)).Methods("GET")
-		r.HandleFunc(WithBase("/sw_cache.js"), NewMiddlewareChain(ServeFile("/assets/worker/"), middlewares, a)).Methods("GET")
 	}

 	// Other endpoints