accept file:// as safe origin for widgets (required for Cordova)

fquirin · fquirin · commit 3000bfdb5b12 · 2021-08-30T19:53:31.000+02:00
diff --git a/www/scripts/sepiaFW.frames.js b/www/scripts/sepiaFW.frames.js
@@ -158,9 +158,10 @@ function sepiaFW_build_frames(){
 		//get HTML - is there a language dependent version?
 		var framePage = Frames.getLocalOrDefaultPage(info.pageUrl, SepiaFW.config.appLanguage).trim();
 		var isValidLocalURL = SepiaFW.tools.isRelativeFileUrl(framePage, "html");
+		var isAcceptableFileOrigin = (framePage.indexOf("file://") == 0);	//any other condition? - This is important for Android (Cordova)
 		var isTrustedRemoteUrl = SepiaFW.tools.isRemoteFileUrl(framePage, "html") 
 			&& (SepiaFW.tools.isSameOrigin(framePage) || SepiaFW.config.urlIsSepiaFileHost(framePage));
-		var isTrusted = isValidLocalURL || isTrustedRemoteUrl;
+		var isTrusted = isValidLocalURL || isAcceptableFileOrigin || isTrustedRemoteUrl;
 
 		//$.get(framePage, function(frameHtml){
         SepiaFW.files.fetch(framePage, function(frameHtml){
diff --git a/www/scripts/sepiaFW.ui.cards.embed.js b/www/scripts/sepiaFW.ui.cards.embed.js
@@ -213,9 +213,10 @@ function sepiaFW_build_ui_cards_embed(){
 		widgetUrl = SepiaFW.config.replacePathTagWithActualPath(widgetUrl);
 		//check URL - NOTE: currently we do not allow unknown URLs
 		var isValidLocalURL = SepiaFW.tools.isRelativeFileUrl(widgetUrl, "html");
+		var isAcceptableFileOrigin = (widgetUrl.indexOf("file://") == 0);	//any other condition? - This is important for Android (Cordova)
 		var isTrustedRemoteUrl = SepiaFW.tools.isRemoteFileUrl(widgetUrl, "html") 
 			&& (SepiaFW.tools.isSameOrigin(widgetUrl) || SepiaFW.config.urlIsSepiaFileHost(widgetUrl));
-		var widgetIsTrusted = isValidLocalURL || isTrustedRemoteUrl;
+		var widgetIsTrusted = isValidLocalURL || isAcceptableFileOrigin || isTrustedRemoteUrl;
 		if (!widgetIsTrusted){
 			SepiaFW.debug.error("WARNING: Embedded MediaPlayer Widget URL has remote location and was BLOCKED due to security restrictions! - URL: " + widgetUrl);
 			SepiaFW.ui.showSafeWarningPopup("Warning", [
@@ -485,8 +486,9 @@ function sepiaFW_build_ui_cards_embed(){
 
 		//Content
 		thisPlayer.mediaRequest = function(type, request, autoplay, safeRequest, doneCallback, errorCallback){
+			SepiaFW.debug.info("Embedded MediaPlayer - MediaRequest: " + type + " - autoplay: " + !!(autoplay && widgetIsTrusted));
 			SepiaFW.audio.broadcastAudioEvent("embedded-media-player", "prepare");
-			if (autoplay){
+			if (autoplay && widgetIsTrusted){
 				//stop all previous audio first
 				SepiaFW.client.controls.media({
 					action: "stop",
