After updating the project from Cesium 1.5 to Cesium 1.7.1, we began getting errors upon clicking czmlDataSources (which should pop up the InfoBox widget) as given below:
Blocked script execution in ‘https://localhost:8443/SIServer//common/loadswf.jsp?swfobject=50_1520140.0&…coexpml%26theme%3Dblue%26needsbbox%3Dtrue%26randvalue%3D0.6849840832245232’
because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set.
we are using cesium provided infobox through iframe and we had set attributes to the iframe like the below, but in vain.
sandbox=“allow-same-origin allow-scripts allow-popups allow-forms”
this is kind of very important and urgent. could u please let us know how to go about it.
thanks and regards,
By an insane coincidence i stumbled onto this exactly now, 2 hours after this was posted.
It is fixed by adding ‘allow-scripts’ to the ‘sandox’ attribute on the iframe, (line 150716 in the unminified 1.7).
given the fact that we control the contents of the script (a view image popup from the infobox preview), are there any negative security implications of this ? could it be enabled by default, or at least paramatised ?
even we tried the same way as suggested by you, but were u able to load SWF
file in the infobox with the same approach in cesium 1.7.1.
thanks and regards
I had a similar problem when I upgraded to 1.7 where I had buttons in my infoBox that referenced functions at the cesium container level as well as css. In order to get it to work I did the following, not sure if it will help you.
//change sandbox property as you mentioned
viewer.infoBox.frame.sandbox = “allow-same-origin allow-top-navigation allow-pointer-lock allow-popups allow-forms allow-scripts”;
Then in the buttons onclick event I added parent.functionName() which allowed the button to reference back to the container level. I still haven’t been able to get the css working so I just copied it into the infoBox as a workaround.
Maybe you have a similar situation where you need to reference back to a library from outside the infoBox?
indeed that’s really helpful: firstly to learn that updating the ‘allow-scripts’ can be done via code, (which cancels my original question in this thread), and then also that iframe content can call parent.myFunction(). So the (image show) function can be defined at the same level as cesium.
Thanks very much !
Kevin’s approach is correct, but you can also disable it completely by removing the attribute: viewer.infoBox.frame.removeAttribute(‘sandbox’);
Cesium is secure by default, and there’s no plans to change that strategy any time soon. That being said, we definitely need to improve documentation and examples in this area.