mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) Serving widget info page from home url
Summary: Custom widget into page is served from a homeUrl instead of untrusted URL, which might be not used in grist-core. Test Plan: manual test Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3307
This commit is contained in:
parent
d2b82b84c7
commit
351d70d4fb
@ -15,12 +15,13 @@ import {CustomViewSectionDef} from 'app/client/models/entities/ViewSectionRec';
|
||||
import {UserError} from 'app/client/models/errors';
|
||||
import {SortedRowSet} from 'app/client/models/rowset';
|
||||
import {PluginInstance} from 'app/common/PluginInstance';
|
||||
import {AccessLevel} from 'app/common/CustomWidget';
|
||||
import {closeRegisteredMenu} from 'app/client/ui2018/menus';
|
||||
import {getGristConfig} from 'app/common/urlUtils';
|
||||
import {Events as BackboneEvents} from 'backbone';
|
||||
import {dom as grains} from 'grainjs';
|
||||
import * as ko from 'knockout';
|
||||
import defaults = require('lodash/defaults');
|
||||
import {AccessLevel} from 'app/common/CustomWidget';
|
||||
import {closeRegisteredMenu} from 'app/client/ui2018/menus';
|
||||
|
||||
/**
|
||||
* CustomView components displays arbitrary html. There are two modes available, in the "url" mode
|
||||
@ -76,7 +77,7 @@ export class CustomView extends Disposable {
|
||||
|
||||
this._customDef = this.viewSection.customDef;
|
||||
|
||||
this._emptyWidgetPage = new URL("custom-widget.html", gristDoc.app.topAppModel.getUntrustedContentOrigin()).href;
|
||||
this._emptyWidgetPage = new URL("custom-widget.html", getGristConfig().homeUrl!).href;
|
||||
|
||||
this.autoDisposeCallback(() => {
|
||||
if (this._customSection) {
|
||||
|
@ -450,6 +450,9 @@ export class FlexServer implements GristServer {
|
||||
// Plugins get access to static resources without a tag
|
||||
this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'static'))));
|
||||
this.app.use(limitToPlugins(express.static(getAppPathTo(this.appRoot, 'bower_components'))));
|
||||
// Serve custom-widget.html message for anyone.
|
||||
this.app.use(/^\/(custom-widget.html)$/, expressWrap(async (req, res) =>
|
||||
res.sendFile(req.params[0], {root: getAppPathTo(this.appRoot, 'static')})));
|
||||
this.addOrg();
|
||||
addPluginEndpoints(this, await this._addPluginManager());
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user