Dialog vertical positioning changes ?

etc · 2024-12-13 10:16:59

Fine, but it does not help me to see what could be wrong with sandboxing. I’ve got no local mac setup to test other public themes, but the demo site works fine in Safari. Would you mind posting more details of what happens if sandbox is checked, please?

gaekwad · 2024-12-13 17:39:10

etc wrote #338513:

I’ve got no local mac setup to test other public themes

Aside: we have a gratis / donated BrowserStack account if that’s useful.

etc · 2024-12-13 17:43:32

gaekwad wrote #338516:

Aside: we have a gratis / donated BrowserStack account if that’s useful.

Ah, might be.

phiw13 · 2024-12-14 00:07:50

etc wrote #338513:

Fine, but it does not help me to see what could be wrong with sandboxing. I’ve got no local mac setup to test other public themes, but the demo site works fine in Safari. Would you mind posting more details of what happens if sandbox is checked, please?

I have already explained in this or previous thread the multiple issues. Start by inserting some script in the page – <script src=path/to/prism.js. The page never displays as scripting isnot allowed in the sandbox and your script to remove the style block (opacity:0 in the source document is not removed. Having (stricter) CSP directives also triggers “failures” –stylesheets, images, …not loaded with the appropriate memo in the console, such as, paraphrasing, “stylesheet.css not allowed by style-src…”.

As I said, Safari appears to have a rather strict understanding of sandbox.

Maybe I have time and energy over the we to dig it all up, including the console messages. Don’t bet on it though. Monday is more likely.

etc · 2024-12-14 09:23:50

phiw13 wrote #338520:

Start by inserting some script in the page – <script src=path/to/prism.js. The page never displays as scripting isnot allowed in the sandbox and your script to remove the style block (opacity:0 in the source document is not removed.

Isn’t it a path problem? Relative links in preview are resolved in admin URL context, try setting <base /> in your public theme.

Having (stricter) CSP directives also triggers “failures” –stylesheets, images, …not loaded with the appropriate memo in the console, such as, paraphrasing, “stylesheet.css not allowed by style-src…”.

CSP needs to be tweaked, sure, even for unsandboxed preview.

phiw13 · 2024-12-14 12:59:27

Screenshot: dev.l-c-n.com/_b/saf18-sandbox-iframe.png

Actual issue: the iframe is/looks blank as this: <style id="HIDEHTML">html { opacity: 0.0 !important;}</style> has not been removed.

Source of article (oldie): emps.l-c-n.com/notebook/using-svg-files-as-content-images

One script, 2 web fonts, 1 stylesheet – all root relative URL

Console:
[Error] Blocked script execution in ‘about:blank’ because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set. (x2)
[Error] Blocked script execution in ‘about:blank’ because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set. (anonymous function) (jquery.js:2:47744)
[Error] Blocked script execution in ‘about:srcdoc’ because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set. (x3)

[Error] Origin null is not allowed by Access-Control-Allow-Origin. Status code: 200
[Error] Failed to load resource: Origin null is not allowed by Access-Control-Allow-Origin. Status code: 200 (pt_sans-narrow-bold.woff2, line 0)
[Error] Origin null is not allowed by Access-Control-Allow-Origin. Status code: 200
[Error] Failed to load resource: Origin null is not allowed by Access-Control-Allow-Origin. Status code: 200 (SourceSerif4Variable-Roman.ttf.woff2, line 0)

[Error] Blocked script execution in ‘about:srcdoc’ because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set.

–^–

PS

ui-dialog:has(#preview-frame.disabled)::before {
  width: clamp(1em, 15%, 4em);
  aspect-ratio: 1/1;
}

for your pleasure…

etc · 2024-12-14 13:13:11

Thanks, but this is not fair because I have replaced iframe’s sandbox="allow-scripts" with sandbox="" on your demand. If you could manually (in Safari console) reset it to allow-scripts before updating the preview, that would be ace. As for fonts, that’s another problem.

etc · 2024-12-14 13:20:27

phiw13 wrote #338523:

ui-dialog:has(#preview-frame.disabled)::before {...

for your pleasure…

Oh, aspect-ratio! Ace, thanks!

phiw13 · 2024-12-14 13:27:03

etc wrote #338524:

Thanks, but this is not fair because I have replaced iframe’s sandbox="allow-scripts" with sandbox="" on your demand. If you could manually (in Safari console) reset it to allow-scripts before updating the preview, that would be ace. As for fonts, that’s another problem.

<sigh> Sandbox attribute is set, checkbox is ticked (default view), see image: dev.l-c-n.com/_b/saf18-sandbox2.png. If scripts are allowed, or if sandbox is removed, (equivalent to uncheck the checkbox at the bottom) then of course the page renders as expect with scripts, fonts and the whole payload.

To recap what I have been saying endlessly: sandboxed preview displays a blank panel in Safari. With sandbox="allow scripts" the page is rendered (minus webfonts), depending on CSP directives the stylesheet is blocked as well. With the sandbox attribute removed, all is well.

etc · 2024-12-14 14:06:18

phiw13 wrote #338526:

With sandbox="allow scripts" the page is rendered (minus webfonts), depending on CSP directives the stylesheet is blocked as well. With the sandbox attribute removed, all is well.

That’s what I wanted to know, thanks. The interplay between sandbox and csp seems different in Safari and Firefox. Adding self to style-src-elem allows Firefox to load styles even in sandbox.

phiw13 · 2024-12-15 02:28:15

BTW, Something I forgot to note, the first two errors mentioned happen when the article write panel is first loaded – and thus before accessing the preview iframe.

etc · 2024-12-15 12:22:14

phiw13 wrote #338533:

BTW, Something I forgot to note, the first two errors mentioned happen when the article write panel is first loaded – and thus before accessing the preview iframe.

That’s weird, because iframe is initially empty (no src neither srcdoc). Some browser tool interaction?

Textpattern CMS

Textpattern CMS support forum

#37 2024-12-13 10:16:59

Re: Dialog vertical positioning changes ?

#38 2024-12-13 17:39:10

Re: Dialog vertical positioning changes ?

etc wrote #338513:

#39 2024-12-13 17:43:32

Re: Dialog vertical positioning changes ?

gaekwad wrote #338516:

#40 2024-12-14 00:07:50

Re: Dialog vertical positioning changes ?

etc wrote #338513:

#41 2024-12-14 09:23:50

Re: Dialog vertical positioning changes ?

phiw13 wrote #338520:

#42 2024-12-14 12:59:27

Re: Dialog vertical positioning changes ?

#43 2024-12-14 13:13:11

Re: Dialog vertical positioning changes ?

#44 2024-12-14 13:20:27

Re: Dialog vertical positioning changes ?

phiw13 wrote #338523:

#45 2024-12-14 13:27:03

Re: Dialog vertical positioning changes ?

etc wrote #338524:

#46 2024-12-14 14:06:18

Re: Dialog vertical positioning changes ?

phiw13 wrote #338526:

#47 2024-12-15 02:28:15

Re: Dialog vertical positioning changes ?

#48 2024-12-15 12:22:14

Re: Dialog vertical positioning changes ?

phiw13 wrote #338533:

Board footer