warc2zim icon indicating copy to clipboard operation
warc2zim copied to clipboard
verified publisher icon openzim

onxxx link not rewritten

Open rgaudin opened this issue 2 years ago • 4 comments

Haven't investigated enough to understand which component is responsible but to reproduce:

  • Go to https://dev.library.kiwix.org/viewer#solidarite-numerique_fr_2023-03/
  • Click on any of the cards

You must be using Chrome.

This leads to the broken content Chrome response with the following message in the console:

Refused to frame 'https://www.solidarite-numerique.fr/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: mediastream: ws: wss:". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

What happens is that those links are location change emitted in a click event from an onclick attribute.

<aside onclick="document.location.href='https://www.solidarite-numerique.fr/tutoriels/utiliser-le-decodex-pour-verifier-les-fausses-informations-ou-fake-news/?thematique=sinformer';" class="sinformer"></aside>

Not sure if Wombat should detect and fix this…

Firefox doesn't exhibit the same behavior if you're online as it will display the online content.

rgaudin avatar Jul 03 '23 18:07 rgaudin

Just to confirm that Firefox now also (correctly) blocks navigation when clicking on a card (see screenshot). However, when clicking on the link "lire la suite" in the card, Firefox is able to follow it to the correct document in the ZIM (not an online version of it, which would now be blocked by CSP), whereas Chrome blocks that navigation too. Both appear to process the onclick event, but Firefox doesn't show a blank blocked page, instead cancels the onclick navigation, then follows the link. Chrome shows the blocked page and then gives up.

Behaviour is the same for Kiwix Serve and the PWA.

image

Jaifroid avatar Jan 02 '24 09:01 Jaifroid

@rgaudin I think you're right that this is an "overlooked" case in Wombat, because it appears that the inline onclick event isn't intercepted by the Wombat shims, whereas the real hyperlink in "lire la suite" is rewritten.

@ikreymer I suppose Wombat "should" handle inline JS events that produce navigation but fails to do so here. Is/was this a known issue?

EDIT: There is a strict CSP in place that prevents accessing external content in the iframe of Kiwix Serve (and the PWA). Could it be that the CSP is triggered before Wombat's rewrite routine processes the link?

Jaifroid avatar Jan 02 '24 09:01 Jaifroid

Transferring this to warc2zim repo since this is where the issue resides.

I confirm the problem is still there, even with zimit2 The problem is that none onxxx tags are rewritten, while they probably should. @mgautierfr WDYT?

This should probably by taken into account as part of zimit2 effort. @kelson42 WDYT?

benoit74 avatar Mar 11 '24 09:03 benoit74

The problem is that none onxxx tags are rewritten, while they probably should. @mgautierfr WDYT?

I think I have missed that. We should. (And wabac is doing it : https://github.com/webrecorder/wabac.js/blob/main/src/rewrite/html.js#L143-L145)

mgautierfr avatar Mar 21 '24 08:03 mgautierfr

Fixed by #270

kelson42 avatar May 25 '24 05:05 kelson42