WASM headers for online about richdocuments HOT 11 OPEN

Nope - we should run our WASM off the main thread, and do load, rendering etc. in the background; while continuing to render the UI in the main-thread with the same front-end code as now.

from richdocuments.

In that case the header should not be needed as far as @danxuliu told me

from richdocuments.

Hmm - ok ? it seems that we need the parent frame of our iframe to have this @Ashod can you provide more details; quite possibly I've mistaken what's up here I think. Quite possibly our startup WASM runs in the main thread initially (not sure).

from richdocuments.

I believe we need these two headers when serving the parent:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

Also had to add script-src unsafe-eval to the CSP header of our frame/js/wasm serving, but we will find out if that is required when we load with the above headers as the missing unsafe-eval was mentioned in the error message.

from richdocuments.

unsafe-eval would be quite an impactful change security wise.

For the others I pushed a quick PR to #3260 which should achieve setting those headers for Nextcloud. However we should of course get more clarify about which headers to add in the end, why and its implications.

from richdocuments.

unsafe-eval sounds bad; but I think we can do that with wasm-eval in future :-) thanks Julius.

from richdocuments.

For the others I pushed a quick PR to #3260 which should achieve setting those headers for Nextcloud. However we should of course get more clarify about which headers to add in the end, why and its implications.

@juliushaertl, I'd like to run some tests locally. Any chance to get the draft PR polished so I can build locally and test?
Thank in advance!

from richdocuments.

@Ashod Pushed and should be testable with that now.

Reference for what it currently set currently set:

from richdocuments.

Thanks @juliushaertl. The PR branch being out-of-date shouldn't be an issue?

@caolanm, does #3260 work for you? Are you able to apply it and build?

from richdocuments.

I have this patched richdocuments and a local nextcloud install. I can see it has an effect, but right now if I open a document, without wasm, then I just get an error of:

[getWopiUrl] http://localhost/nextcloud/index.php/apps/richdocuments/wopi/files/7_oca1b28l9m0b url.js:42:9
The resource at “http://localhost:9980/browser/70f697e3da/cool.html?WOPISrc=http%3A%2F%2Flocalhost%2Fnextcloud%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F7_oca1b28l9m0b&title=%2FDocuments%2FWelcome%20to%20Nextcloud%20Hub.docx&lang=en&closebutton=1&revisionhistory=1” was blocked due to its Cross-Origin-Resource-Policy header (or lack thereof). See https://developer.mozilla.org/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)# files

from richdocuments.

Seems this was caused by those two headers: #3258 (comment)

I pushed a fix up to the PR.

from richdocuments.