[jira] Created: (JS2-1063) PortletWindow desktop widget fails to render portlet content when the content has script tag with src attribute pointing a url of different domain.

["Woonsan Ko (JIRA)" <je...@portals.apache.org>]

PortletWindow desktop widget fails to render portlet content when the content has script tag with src attribute pointing a url of different domain.
---------------------------------------------------------------------------------------------------------------------------------------------------

                 Key: JS2-1063
                 URL: https://issues.apache.org/jira/browse/JS2-1063
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Desktop
    Affects Versions: 2.2.0
            Reporter: Woonsan Ko
            Assignee: Woonsan Ko
             Fix For: 2.2.1


PortletWindow widget (/javascript/jetspeed/widget/PortletWindow.src.js) tries to retrieve script source which can be embedded in the script tag or retrieved from the remote url which is set in "src" attribute to "fix" some script sources (such as attaching events or document.write stuff) by proper dojo functions.
The "_fixScripts" function in PortletWindow.src.js replaces some problematic script codes which can screw up desktop page.
For example,
(addEventListener|attachEvent) -->
jetspeed.postload_(addEventListener|attachEvent),
(document.write|document.writeln) --> jetspeed.postload_docwrite
(location.href) --> jetspeed.setdoclocation.
However, because it fails to retrieve script sources from different domain urls for security reasons, it fails to render the portlet content.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

[jira] Resolved: (JS2-1063) PortletWindow desktop widget fails to render portlet content when the content has script tag with src attribute pointing a url of different domain.

["Woonsan Ko (JIRA)" <je...@portals.apache.org>]

     [ https://issues.apache.org/jira/browse/JS2-1063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Woonsan Ko resolved JS2-1063.
-----------------------------

    Resolution: Fixed

Fixed by not trying to retrieve script content from a different domain website.
So, if a portlet content contains a script with different domain-based url, then the script element will not be added in the desktop page.
By the way, if a script resource of a portlet content should be used in the desktop mode, the script url should be translated to a local domain-based url by using reverse-proxying.
The desktop components cannot decide to do reverse proxying for the content. It's portlet provider's own responsibility.

> PortletWindow desktop widget fails to render portlet content when the content has script tag with src attribute pointing a url of different domain.
> ---------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-1063
>                 URL: https://issues.apache.org/jira/browse/JS2-1063
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Desktop
>    Affects Versions: 2.2.0
>            Reporter: Woonsan Ko
>            Assignee: Woonsan Ko
>             Fix For: 2.2.1
>
>
> PortletWindow widget (/javascript/jetspeed/widget/PortletWindow.src.js) tries to retrieve script source which can be embedded in the script tag or retrieved from the remote url which is set in "src" attribute to "fix" some script sources (such as attaching events or document.write stuff) by proper dojo functions.
> The "_fixScripts" function in PortletWindow.src.js replaces some problematic script codes which can screw up desktop page.
> For example,
> (addEventListener|attachEvent) -->
> jetspeed.postload_(addEventListener|attachEvent),
> (document.write|document.writeln) --> jetspeed.postload_docwrite
> (location.href) --> jetspeed.setdoclocation.
> However, because it fails to retrieve script sources from different domain urls for security reasons, it fails to render the portlet content.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org