Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

wip #1

Merged
merged 10 commits into from
Mar 19, 2018
Merged

wip #1

merged 10 commits into from
Mar 19, 2018

Conversation

vlymar
Copy link
Contributor

@vlymar vlymar commented Mar 9, 2018
edited
Loading

Changes

  • Replaces mozilla's domains with our own in the HOSTED_VIEWER_ORIGINS whitelist.
  • Renames main engine controller from PdfjsViewer::ApplicationController to PdfjsViewer::PdfApplicationController to prevent namespace collisions with our main app's ApplicationController
  • Allows the engine routes to be embedded as iframes only under our base url
    • implemented with a combination of X-Frame-Options and Content-Security-Policy headers
  • Restricts the domains that files will be loaded from to a whitelist
  • Viewer can only be loaded in an iframe

@vlymar vlymar self-assigned this Mar 14, 2018
@vlymar vlymar requested a review from drusepth March 14, 2018 23:57
@vlymar vlymar requested a review from jsegal-citybase March 16, 2018 17:47
drusepth
drusepth approved these changes Mar 19, 2018
View reviewed changes
Copy link

@drusepth drusepth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks awesome. No changes from me.

app/assets/javascripts/pdfjs_viewer/viewer.js
var FILE_ORIGIN_WHITELIST = [
'https://screendoor.dobt.dev',
'https://dobt-screendoor-staging.s3.amazonaws.com',
'https://dobt-screendoor.s3.amazonaws.com'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be pretty cool to just include this in production and the previous line in dev/staging, but definitely not necessary. I'm not sure how we'd even do that well if this is sitting in a separate gem, though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I decided to avoid dealing with injecting configuration into this file. The less we change this file, the easier it will be to pull in upstream updates from the pdf.js repo.

@drusepth drusepth removed their assignment Mar 19, 2018
@vlymar vlymar merged commit d99cf7c into master Mar 19, 2018
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jsegal-citybase jsegal-citybase jsegal-citybase approved these changes

@drusepth drusepth drusepth approved these changes

Assignees

@vlymar vlymar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vlymar @drusepth @jsegal-citybase