Jetspeed 2
  1. Jetspeed 2
  2. JS2-1063

PortletWindow desktop widget fails to render portlet content when the content has script tag with src attribute pointing a url of different domain.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.1
    • Component/s: Desktop
    • Labels:
      None

      Description

      PortletWindow widget (/javascript/jetspeed/widget/PortletWindow.src.js) tries to retrieve script source which can be embedded in the script tag or retrieved from the remote url which is set in "src" attribute to "fix" some script sources (such as attaching events or document.write stuff) by proper dojo functions.
      The "_fixScripts" function in PortletWindow.src.js replaces some problematic script codes which can screw up desktop page.
      For example,
      (addEventListener|attachEvent) -->
      jetspeed.postload_(addEventListener|attachEvent),
      (document.write|document.writeln) --> jetspeed.postload_docwrite
      (location.href) --> jetspeed.setdoclocation.
      However, because it fails to retrieve script sources from different domain urls for security reasons, it fails to render the portlet content.

        Activity

        Hide
        Woonsan Ko added a comment -

        Fixed by not trying to retrieve script content from a different domain website.
        So, if a portlet content contains a script with different domain-based url, then the script element will not be added in the desktop page.
        By the way, if a script resource of a portlet content should be used in the desktop mode, the script url should be translated to a local domain-based url by using reverse-proxying.
        The desktop components cannot decide to do reverse proxying for the content. It's portlet provider's own responsibility.

        Show
        Woonsan Ko added a comment - Fixed by not trying to retrieve script content from a different domain website. So, if a portlet content contains a script with different domain-based url, then the script element will not be added in the desktop page. By the way, if a script resource of a portlet content should be used in the desktop mode, the script url should be translated to a local domain-based url by using reverse-proxying. The desktop components cannot decide to do reverse proxying for the content. It's portlet provider's own responsibility.

          People

          • Assignee:
            Woonsan Ko
            Reporter:
            Woonsan Ko
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development