diff --git a/src/components/structures/RoomView.js b/src/components/structures/RoomView.js index f09e1197cf..75ab4a0db2 100644 --- a/src/components/structures/RoomView.js +++ b/src/components/structures/RoomView.js @@ -50,6 +50,8 @@ import RoomViewStore from '../../stores/RoomViewStore'; let DEBUG = false; let debuglog = function() {}; +const BROWSER_SUPPORTS_SANDBOX = 'sandbox' in document.createElement('iframe'); + if (DEBUG) { // using bind means that we get to keep useful line numbers in the console debuglog = console.log.bind(console); @@ -275,6 +277,8 @@ module.exports = React.createClass({ }, _shouldShowApps: function(room) { + if (!BROWSER_SUPPORTS_SANDBOX) return false; + const appsStateEvents = room.currentState.getStateEvents('im.vector.modular.widgets'); // any valid widget = show apps for (let i = 0; i < appsStateEvents.length; i++) { diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js index 23b7d9f604..79cf5969b3 100644 --- a/src/components/views/elements/AppTile.js +++ b/src/components/views/elements/AppTile.js @@ -121,7 +121,14 @@ export default React.createClass({ } else { appTileBody = (
- + // Note that there is advice saying allow-scripts shouldn;t be used with allow-same-origin + // because that would allow the iframe to prgramatically remove the sandbox attribute, but + // this would only be for content hosted on the same origin as the riot client: anything + // hosted on the same origin as the client will get the same access access as if you clicked + // a link to it. +
); }