Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

onxxx link not rewritten #209

Closed
rgaudin opened this issue Jul 3, 2023 · 5 comments
Closed

onxxx link not rewritten #209

rgaudin opened this issue Jul 3, 2023 · 5 comments
Assignees
Labels
bug Something isn't working
Milestone

Comments

@rgaudin
Copy link
Member

rgaudin commented Jul 3, 2023

Haven't investigated enough to understand which component is responsible but to reproduce:

You must be using Chrome.

This leads to the broken content Chrome response with the following message in the console:

Refused to frame 'https://www.solidarite-numerique.fr/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: mediastream: ws: wss:". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

What happens is that those links are location change emitted in a click event from an onclick attribute.

<aside onclick="document.location.href='https://www.solidarite-numerique.fr/tutoriels/utiliser-le-decodex-pour-verifier-les-fausses-informations-ou-fake-news/?thematique=sinformer';" class="sinformer"></aside>

Not sure if Wombat should detect and fix this…

Firefox doesn't exhibit the same behavior if you're online as it will display the online content.

@rgaudin rgaudin added bug Something isn't working question Further information is requested upstream labels Jul 3, 2023
@Jaifroid
Copy link

Jaifroid commented Jan 2, 2024

Just to confirm that Firefox now also (correctly) blocks navigation when clicking on a card (see screenshot). However, when clicking on the link "lire la suite" in the card, Firefox is able to follow it to the correct document in the ZIM (not an online version of it, which would now be blocked by CSP), whereas Chrome blocks that navigation too. Both appear to process the onclick event, but Firefox doesn't show a blank blocked page, instead cancels the onclick navigation, then follows the link. Chrome shows the blocked page and then gives up.

Behaviour is the same for Kiwix Serve and the PWA.

image

@Jaifroid
Copy link

Jaifroid commented Jan 2, 2024

@rgaudin I think you're right that this is an "overlooked" case in Wombat, because it appears that the inline onclick event isn't intercepted by the Wombat shims, whereas the real hyperlink in "lire la suite" is rewritten.

@ikreymer I suppose Wombat "should" handle inline JS events that produce navigation but fails to do so here. Is/was this a known issue?

EDIT: There is a strict CSP in place that prevents accessing external content in the iframe of Kiwix Serve (and the PWA). Could it be that the CSP is triggered before Wombat's rewrite routine processes the link?

@benoit74
Copy link
Collaborator

Transferring this to warc2zim repo since this is where the issue resides.

I confirm the problem is still there, even with zimit2 The problem is that none onxxx tags are rewritten, while they probably should. @mgautierfr WDYT?

This should probably by taken into account as part of zimit2 effort. @kelson42 WDYT?

@benoit74 benoit74 transferred this issue from openzim/zimit Mar 11, 2024
@mgautierfr
Copy link
Contributor

The problem is that none onxxx tags are rewritten, while they probably should. @mgautierfr WDYT?

I think I have missed that. We should. (And wabac is doing it : https://github.com/webrecorder/wabac.js/blob/main/src/rewrite/html.js#L143-L145)

@benoit74 benoit74 changed the title onclick link not rewritten onxxx link not rewritten May 2, 2024
@benoit74 benoit74 removed question Further information is requested upstream labels May 2, 2024
@benoit74 benoit74 added this to the 2.0.0 milestone May 2, 2024
@benoit74 benoit74 self-assigned this May 21, 2024
@kelson42
Copy link
Contributor

Fixed by #270

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants