After updating the project from Cesium 1.5 to Cesium 1.7.1, we began getting errors upon clicking czmlDataSources (which should pop up the InfoBox widget) as given below:
By an insane coincidence i stumbled onto this exactly now, 2 hours after this was posted.
It is fixed by adding ‘allow-scripts’ to the ‘sandox’ attribute on the iframe, (line 150716 in the unminified 1.7).
given the fact that we control the contents of the script (a view image popup from the infobox preview), are there any negative security implications of this ? could it be enabled by default, or at least paramatised ?
I had a similar problem when I upgraded to 1.7 where I had buttons in my infoBox that referenced functions at the cesium container level as well as css. In order to get it to work I did the following, not sure if it will help you.
Then in the buttons onclick event I added parent.functionName() which allowed the button to reference back to the container level. I still haven’t been able to get the css working so I just copied it into the infoBox as a workaround.
Maybe you have a similar situation where you need to reference back to a library from outside the infoBox?
indeed that’s really helpful: firstly to learn that updating the ‘allow-scripts’ can be done via code, (which cancels my original question in this thread), and then also that iframe content can call parent.myFunction(). So the (image show) function can be defined at the same level as cesium.
Kevin’s approach is correct, but you can also disable it completely by removing the attribute: viewer.infoBox.frame.removeAttribute(‘sandbox’);
Cesium is secure by default, and there’s no plans to change that strategy any time soon. That being said, we definitely need to improve documentation and examples in this area.