Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove mediawiki.page.ready.js from recent mediawiki archives because it breaks the iframe #376

Closed
Jaifroid opened this issue Mar 3, 2023 · 4 comments
Assignees
Labels
bug upstream Should be worked on in kiwix-js
Milestone

Comments

@Jaifroid
Copy link
Member

Jaifroid commented Mar 3, 2023

This is the PWA-specific version of openzim/mwoffliner#1803, for providing a quick-and-dirty patch for removing this archive. It is currently known to affect Wiktionary archives since 2023-02, but could well start cropping up in other mwOffliner archives.

@Jaifroid
Copy link
Member Author

Jaifroid commented Mar 4, 2023

@danielzgtg I have implemented a fix for this in the test version of the PWA:

https://kiwix.github.io/kiwix-js-windows/www/index.html

Perhaps you could verify? Please note that if you have used the test PWA before, you will need to let it update to v2.3.8. It will notify you about 10 seconds after launch (in Configuration) if it needs a restart to do so. If it is already showing v2.3.8 when you first launch it, you should be good to go. Please test without Tampermonkey script enabled.

The patch, and other modifications to CSS and JS in this reader are gated behind the option circled in screenshot below. Leave this on to test. Also, it needs to be tested in ServiceWorker mode.

To test without this patch and some other modifications to Wikimedia archives, you can turn this option off, but in that case the latest Wiktionary archive will break out of the iframe.

image

Once thoroughly tested here, I'll backport just the part that prevents Wiktionary from being read to Kiwix JS if it looks like fixing this at source (in mwOffliner) is complicated or likely to be delayed.

@danielzgtg
Copy link
Contributor

danielzgtg commented Mar 4, 2023

I have verified that your fix works! The main Wiktionary page remained normal for longer than a few seconds, and I was able to search for and open the article named "wiki".

The option was left on initially, and displayed fine right away. When I turn off the option, I reproduced the zim breaking out, and when I turned the option back on, the zim behaved normally again.

The website had 2.3.8 and ServiceWorker shown right away after I loaded it. I never added this domain to my userscripts, but I disabled the entire Tampermonkey extension for the duration of these tests just in case.

EDIT: Also tested in Chrome in addition to Firefox. The test had the same results, except I had to rename the zim file on disk to regain control after disabling the option before being able to reenable it.

@Jaifroid
Copy link
Member Author

Jaifroid commented Mar 4, 2023

Thank you very much for testing this so carefully.

@Jaifroid
Copy link
Member Author

Jaifroid commented Mar 5, 2023

This fix is now included in v2.4.0. There are two mechanisms of protection: one removes the offending JS (a Wiktionary-specific fix until openzim/mwoffliner#1803 is fixed at source), and the other is the implementation of the sandbox attribute on the iframe.

Many thanks to @danielzgtg for helping to identify the issue and suggesting the sandbox solution, which makes the app more robust even if it would not ultimately stop a determined malicious actor.

Closing, but the fix should be backported to Kiwix JS for the next release.

@Jaifroid Jaifroid closed this as completed Mar 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug upstream Should be worked on in kiwix-js
Projects
None yet
Development

No branches or pull requests

2 participants