From 2505ece9317b54de4d364b4967c71764b8198401 Mon Sep 17 00:00:00 2001 From: abose Date: Sat, 6 Jan 2024 15:36:29 +0530 Subject: [PATCH] chore: add a trust project for live preview in phoenix iframe --- .../default/Phoenix-live-preview/main.js | 46 +++++- .../Phoenix-live-preview/trust-project.html | 140 ++++++++++++++++++ src/nls/root/strings.js | 1 + src/project/ProjectManager.js | 2 +- 4 files changed, 187 insertions(+), 2 deletions(-) create mode 100644 src/extensions/default/Phoenix-live-preview/trust-project.html diff --git a/src/extensions/default/Phoenix-live-preview/main.js b/src/extensions/default/Phoenix-live-preview/main.js index 216b17b20..0be32032a 100644 --- a/src/extensions/default/Phoenix-live-preview/main.js +++ b/src/extensions/default/Phoenix-live-preview/main.js @@ -56,9 +56,13 @@ define(function (require, exports, module) { LiveDevelopment = brackets.getModule("LiveDevelopment/main"), LiveDevServerManager = brackets.getModule("LiveDevelopment/LiveDevServerManager"), NativeApp = brackets.getModule("utils/NativeApp"), + FileUtils = brackets.getModule("file/FileUtils"), StaticServer = require("StaticServer"), utils = require('utils'); + const PREVIEW_TRUSTED_PROJECT_KEY = "preview_trusted"; + const moduleDir = FileUtils.getNativeModuleDirectoryPath(module); + const LIVE_PREVIEW_PANEL_ID = "live-preview-panel", IFRAME_EVENT_SERVER_READY = 'SERVER_READY'; let serverReady = false; @@ -70,6 +74,42 @@ define(function (require, exports, module) { `; + function _getTrustProjectPage() { + return `${moduleDir}/trust-project.html?` + +`&localMessage=${encodeURIComponent(Strings.DESCRIPTION_LIVEDEV_SECURITY_TRUST_MESSAGE)}` + +`&initialProjectRoot=${encodeURIComponent(ProjectManager.getProjectRoot().fullPath)}` + +`&okMessage=${encodeURIComponent(Strings.TRUST_PROJECT)}`; + } + + function _isProjectPreviewTrusted() { + // In desktop builds, each project is securely sandboxed in its own live preview server:port domain. + // This setup ensures security within the browser sandbox, eliminating the need for a trust + // confirmation dialog. We can display the live preview immediately. + if(Phoenix.browser.isTauri || Phoenix.isTestWindow){ // for test windows, we trust all test files + return true; + } + // In browsers, since all live previews for all projects uses the same phcode.live domain, + // untrusted projects can access data of past opened projects. So we have to show a trust project? + // dialog in live preview in browser. + // Future plans for browser versions include adopting a similar approach to dynamically generate + // URLs in the format `project-name.phcode.live`. This will streamline the workflow by removing + // the current reliance on users to manually verify and trust each project in the browser. + const projectPath = ProjectManager.getProjectRoot().fullPath; + if(projectPath === ProjectManager.getWelcomeProjectPath() || + projectPath === ProjectManager.getExploreProjectPath()){ + return true; + } + const isTrustedProject = `${PREVIEW_TRUSTED_PROJECT_KEY}-${projectPath}`; + return !!PhStore.getItem(isTrustedProject); + } + + window._trustCurrentProjectForLivePreview = function () { + const projectPath = ProjectManager.getProjectRoot().fullPath; + const isTrustedProjectKey = `${PREVIEW_TRUSTED_PROJECT_KEY}-${projectPath}`; + PhStore.setItem(isTrustedProjectKey, true); + _loadPreview(true); + }; + ExtensionInterface.registerExtensionInterface( ExtensionInterface._DEFAULT_EXTENSIONS_INTERFACE_NAMES.PHOENIX_LIVE_PREVIEW, exports); @@ -265,7 +305,11 @@ define(function (require, exports, module) { newIframe.insertAfter($iframe); $iframe.remove(); $iframe = newIframe; - $iframe.attr('src', newSrc); + if(_isProjectPreviewTrusted()){ + $iframe.attr('src', newSrc); + } else { + $iframe.attr('src', _getTrustProjectPage()); + } } Metrics.countEvent(Metrics.EVENT_TYPE.LIVE_PREVIEW, "render", utils.getExtension(previewDetails.fullPath)); diff --git a/src/extensions/default/Phoenix-live-preview/trust-project.html b/src/extensions/default/Phoenix-live-preview/trust-project.html new file mode 100644 index 000000000..4a3f936eb --- /dev/null +++ b/src/extensions/default/Phoenix-live-preview/trust-project.html @@ -0,0 +1,140 @@ + + + + + Phoenix Live Preview Loader... + + + + + +
+
+
Phoenix Code Live Preview
+
+ You are about to open an HTML file for live preview. Please proceed only if you trust the source of this project. Click 'OK' to continue, or close this window if you do not trust the source. +
+
+ +
+
+
+ + \ No newline at end of file diff --git a/src/nls/root/strings.js b/src/nls/root/strings.js index 19404aadf..d29e40598 100644 --- a/src/nls/root/strings.js +++ b/src/nls/root/strings.js @@ -905,6 +905,7 @@ define({ "DESCRIPTION_LIVEDEV_MAIN_SPAN": "Get the best live preview experience by downloading our native apps for Windows, Mac, and Linux from phcode.io.
", "DESCRIPTION_LIVEDEV_SECURITY": "Security Warning from phcode.dev

This live preview attempted to access a non-project file. Access was denied for your safety. Please exercise caution when working on untrusted projects.", "DESCRIPTION_LIVEDEV_SECURITY_POPOUT_MESSAGE": "You are about to open a file for live preview. Please proceed only if you trust the source of this project. Click 'Trust Project' to continue, or close this window if you do not trust the source.", + "DESCRIPTION_LIVEDEV_SECURITY_TRUST_MESSAGE": "You are about to open a file for live preview. Please proceed by clicking 'Trust Project' only if you trust the source of this project!", "TRUST_PROJECT": "Trust Project - {0}", // Strings for Auto Update diff --git a/src/project/ProjectManager.js b/src/project/ProjectManager.js index ad1e6fe2a..107596c3c 100644 --- a/src/project/ProjectManager.js +++ b/src/project/ProjectManager.js @@ -756,7 +756,7 @@ define(function (require, exports, module) { } function getExploreProjectPath() { - return `${getLocalProjectsPath()}explore`; + return `${getLocalProjectsPath()}explore/`; } /**