External content is inaccessible in the viewer iframe

[veloman-yunkan]

Sandboxing of the content in the viewer iframe (introduced by #906 and then reimplemented through #924 & #930) has resulted in links to external resources becoming inoperable in the viewer (no matter if kiwix-serve is started with the --blockexternal option or not).

This issue was noticed earlier and since it persisted after #906 was overridden by #924/#930 it definitely needs a dedicated ticket.

@Jaifroid's has proposed to fix the issue via making external links to be opened in a new tab/window. At this point I don't see any other solution.

[Jaifroid]

Thanks for opening this issue. The (untested in Kiwix Serve) code I suggested is here:

kiwix/kiwix-tools#604 (comment)

(obviously will need to be adapted to the Kiwix Serve environment).

[veloman-yunkan]

An easy fix might be adding allow-top-navigation-by-user-activation to the Content Security Policy sandbox directive. One downside with that solution is that it again opens the possibility of losing the viewer toolbar if an internal link in a ZIM file has its target attribute set to _top. I cannot think of other downsides.

[Jaifroid]

Does that ask the user? I haven't seen that directive in action. If it works, it would be better than adding event listeners. So long as the user is protected out of the box (from the browser destroying the iframe, whcih was the very reason we introduced the sandbox in the first place).

[kelson42]

@Jaifroid's has proposed to fix the issue via making external links to be opened in a new tab/window. At this point I don't see any other solution

Kind of acceptable for me, if nobody as a better alternative.

[Jaifroid]

Any fix for this issue should also take into account kiwix/kiwix-tools#591. The solution would be broadly the same (if using a click event listener, as opposed to relaxing the sandbox).

[veloman-yunkan]

At this point I don't see any other solution.

It seems that a workaround was found.