[jira] Resolved: (JS2-1063) PortletWindow desktop widget fails to render portlet content when the content has script tag with src attribute pointing a url of different domain.

Thu, 17 Sep 2009 03:54:24 -0700 

     [ 
https://issues.apache.org/jira/browse/JS2-1063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Woonsan Ko resolved JS2-1063.
-----------------------------

    Resolution: Fixed

Fixed by not trying to retrieve script content from a different domain website.
So, if a portlet content contains a script with different domain-based url, 
then the script element will not be added in the desktop page.
By the way, if a script resource of a portlet content should be used in the 
desktop mode, the script url should be translated to a local domain-based url 
by using reverse-proxying.
The desktop components cannot decide to do reverse proxying for the content. 
It's portlet provider's own responsibility.

> PortletWindow desktop widget fails to render portlet content when the content 
> has script tag with src attribute pointing a url of different domain.
> ---------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-1063
>                 URL: https://issues.apache.org/jira/browse/JS2-1063
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Desktop
>    Affects Versions: 2.2.0
>            Reporter: Woonsan Ko
>            Assignee: Woonsan Ko
>             Fix For: 2.2.1
>
>
> PortletWindow widget (/javascript/jetspeed/widget/PortletWindow.src.js) tries 
> to retrieve script source which can be embedded in the script tag or 
> retrieved from the remote url which is set in "src" attribute to "fix" some 
> script sources (such as attaching events or document.write stuff) by proper 
> dojo functions.
> The "_fixScripts" function in PortletWindow.src.js replaces some problematic 
> script codes which can screw up desktop page.
> For example,
> (addEventListener|attachEvent) -->
> jetspeed.postload_(addEventListener|attachEvent),
> (document.write|document.writeln) --> jetspeed.postload_docwrite
> (location.href) --> jetspeed.setdoclocation.
> However, because it fails to retrieve script sources from different domain 
> urls for security reasons, it fails to render the portlet content.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to