From 351d70d4fbeec9b6753e91c514a58b588dd18479 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaros=C5=82aw=20Sadzi=C5=84ski?=
 <jaroslaw.sadzinski@gmail.com>
Date: Mon, 7 Mar 2022 13:58:06 +0100
Subject: [PATCH] (core) Serving widget info page from home url

Summary:
Custom widget into page is served from a homeUrl instead
of untrusted URL, which might be not used in grist-core.

Test Plan: manual test

Reviewers: paulfitz

Reviewed By: paulfitz

Differential Revision: https://phab.getgrist.com/D3307
---
 app/client/components/CustomView.ts | 7 ++++---
 app/server/lib/FlexServer.ts        | 3 +++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/client/components/CustomView.ts b/app/client/components/CustomView.ts
index bf3e0a36..36a08157 100644
--- a/app/client/components/CustomView.ts
+++ b/app/client/components/CustomView.ts
@@ -15,12 +15,13 @@ import {CustomViewSectionDef} from 'app/client/models/entities/ViewSectionRec';
 import {UserError} from 'app/client/models/errors';
 import {SortedRowSet} from 'app/client/models/rowset';
 import {PluginInstance} from 'app/common/PluginInstance';
+import {AccessLevel} from 'app/common/CustomWidget';
+import {closeRegisteredMenu} from 'app/client/ui2018/menus';
+import {getGristConfig} from 'app/common/urlUtils';
 import {Events as BackboneEvents} from 'backbone';
 import {dom as grains} from 'grainjs';
 import * as ko from 'knockout';
 import defaults = require('lodash/defaults');
-import {AccessLevel} from 'app/common/CustomWidget';
-import {closeRegisteredMenu} from 'app/client/ui2018/menus';
 
 /**
  * CustomView components displays arbitrary html. There are two modes available, in the "url" mode
@@ -76,7 +77,7 @@ export class CustomView extends Disposable {
 
     this._customDef =  this.viewSection.customDef;
 
-    this._emptyWidgetPage = new URL("custom-widget.html", gristDoc.app.topAppModel.getUntrustedContentOrigin()).href;
+    this._emptyWidgetPage = new URL("custom-widget.html", getGristConfig().homeUrl!).href;
 
     this.autoDisposeCallback(() => {
       if (this._customSection) {
diff --git a/app/server/lib/FlexServer.ts b/app/server/lib/FlexServer.ts
index fc82e852..cec7dd90 100644
--- a/app/server/lib/FlexServer.ts
+++ b/app/server/lib/FlexServer.ts
@@ -450,6 +450,9 @@ export class FlexServer implements GristServer {
     // Plugins get access to static resources without a tag
     this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'static'))));
     this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'bower_components'))));
+    // Serve custom-widget.html message for anyone.
+    this.app.use(/^\/(custom-widget.html)$/, expressWrap(async (req, res) =>
+      res.sendFile(req.params[0], {root: getAppPathTo(this.appRoot, 'static')})));
     this.addOrg();
     addPluginEndpoints(this, await this._addPluginManager());
   }