Disable websecurity for webview

Only for source code. This option should not be enabled to prevent XSS. ref: #35, #55 and #59
2016-03-11 21:47:39 +09:00
parent 97808373ed
commit fcbfae69a7
1 changed files with 4 additions and 0 deletions
--- a/src/browser/index.jsx
+++ b/src/browser/index.jsx
@@ -219,6 +219,10 @@ var MattermostView = React.createClass({
    var thisObj = this;
    var webview = ReactDOM.findDOMNode(this.refs.webview);

+    // This option disables the same-origin policy and allows js/css/plugins not only content like images.
+    // So this should not be enabled.
+    webview.setAttribute('disablewebsecurity', true);
+
    webview.addEventListener('did-fail-load', function(e) {
      console.log(thisObj.props.name, 'webview did-fail-load', e);
      if (e.errorCode === -3) { // An operation was aborted (due to user action).