SDKLauncher-iOS icon indicating copy to clipboard operation
SDKLauncher-iOS copied to clipboard

Published 20 hours ago verified publisher icon readium

WkWebView looses cross-origin restriction (protection against malicious EPUBs)

Open danielweck opened this issue 9 years ago • 1 comments

...because the file:// URI scheme / protocol cannot be used anymore for serving reader.html from the app-bundle (alongside HTTP://IP:PORT for serving the EPUB content documents). This also means that using different origins will bi-bidirectionally sandbox the iframe, preventing the Readium rendering engine (readium-shared-js) to perform some behaviour injection such as Media Overlays playback, annotations, etc.

See: https://docs.google.com/document/d/1GK1aVsrTv23WroBWMX-XiwYtXbq6huW_pK8QXRaY6XQ/

Note that window.top / parent / frameElement.ownerDocument.defaultView cannot reliably be used to plug the security holes, so we removed them from the cloud reader and chrome extension.

danielweck avatar Jun 17 '15 17:06 danielweck

See: https://github.com/readium/SDKLauncher-iOS/tree/feature/wkwebview https://github.com/readium/readium-sdk/tree/feature/wkwebview

danielweck avatar Jun 17 '15 17:06 danielweck