Bug in CelerityStaticResourceResponse


#1

Observed Behavior:
Stratcom determines a page is not frameable.

Expected Behavior:
Stratcom detemines the page is frameable.

Phabricator Version:
Latest stable

Reproduction Steps:
From lines 268-273 in src/applications/celerity/CelerityStaticResourceResponse.php:

    if ($is_frameable) {
      $initializers[] = array(
        'data' => 'frameable',
        'kind' => (bool)$is_frameable,
      );
    }

The kind and data labels need to be switched (as can be verified by comparing to other initializers)


#2

This is obviously a bug, but I have no idea how to follow the reproduction steps to reproduce it or verify that it is fixed.


#3

We added our site domain to the frame-ancestors CSP in AphrontResponse

$csp[] = "frame-ancestors 'self' https://*.mycompany.io";

and marked the PhabricatorProjectBoardViewController:

$this->setFrameable(true)

(This allows us to embed the project boards in other applications running in our own domain).

However, the frame-busting Javascript still triggered

as the HTML document contains the following:

<data data-javelin-init-kind="1" data-javelin-init-data="{&quot;frameable&quot;}"></data>

(or similar, am no longer at work)

After switching data and kind the JS no longer triggers.


#4

Please let me know if you need any further reproduction instructions in order to make this fix.


#5

Would you like me to send you a diff for this?