SDKLauncher-iOS
SDKLauncher-iOS copied to clipboard
WkWebView looses cross-origin restriction (protection against malicious EPUBs)
...because the file://
URI scheme / protocol cannot be used anymore for serving reader.html
from the app-bundle (alongside HTTP://IP:PORT
for serving the EPUB content documents). This also means that using different origins will bi-bidirectionally sandbox the iframe, preventing the Readium rendering engine (readium-shared-js) to perform some behaviour injection such as Media Overlays playback, annotations, etc.
See: https://docs.google.com/document/d/1GK1aVsrTv23WroBWMX-XiwYtXbq6huW_pK8QXRaY6XQ/
Note that window.top / parent / frameElement.ownerDocument.defaultView
cannot reliably be used to plug the security holes, so we removed them from the cloud reader and chrome extension.
See: https://github.com/readium/SDKLauncher-iOS/tree/feature/wkwebview https://github.com/readium/readium-sdk/tree/feature/wkwebview