JS-SDK: Added checkCSP method. Added error if CSP header not contain current domain. Fixed onAppError call.

public/scripts/api.js

@@ -47,12 +47,31 @@
       onSelectCallback: null,
       onCloseCallback: null,
       onAppReady: null,
-      onAppError: null,
+      onAppError: (e) => console.log("onAppError", e),
       onEditorCloseCallback: null,
       onAuthSuccess: null,
     },
   };
 
+  const checkCSP = async (targetSrc, onAppError) => {
+    let allow = false;
+    const currentSrc = window.location.origin;
+
+    try {
+      const cspSettings = await fetch(`${targetSrc}/api/2.0/security/csp`);
+      const res = await cspSettings.json();
+      const { header } = res.response;
+
+      allow =
+        header.indexOf(window.location.origin) !== -1 ||
+        targetSrc === currentSrc;
+    } catch (e) {
+      onAppError(e);
+    }
+
+    return allow;
+  };
+
   const getConfigFromParams = () => {
     const src = decodeURIComponent(document.currentScript.src);
 
@@ -83,6 +102,7 @@
   class DocSpace {
     #iframe;
     #isConnected = false;
+    #cspInstalled = false;
     #callbacks = [];
     #tasks = [];
     #classNames = "";
@@ -173,18 +193,28 @@
       iframe.name = config.name;
       iframe.id = config.frameId;
 
-      iframe.align = "top";
+      iframe.loading = "lazy";
-      iframe.frameBorder = 0;
       iframe.allowFullscreen = true;
       iframe.setAttribute("allowfullscreen", "");
       iframe.setAttribute("allow", "autoplay");
 
+      //iframe.referrerpolicy = "unsafe-url";
+
       if (config.type == "mobile") {
         iframe.style.position = "fixed";
         iframe.style.overflow = "hidden";
         document.body.style.overscrollBehaviorY = "contain";
       }
 
+      if (!this.#cspInstalled) {
+        const errorMessage =
+          "Current domain not set in Content Security Policy (CSP) settings. Please add it on developer tools page.";
+        config.events.onAppError(errorMessage);
+
+        const html = `<body>${errorMessage}</body>`;
+        iframe.srcdoc = html;
+      }
+
       return iframe;
     };
 
@@ -250,7 +280,9 @@
     };
     #executeMethod = (methodName, params, callback) => {
       if (!this.#isConnected) {
-        console.log("Message bus is not connected with frame");
+        this.config.events.onAppError(
+          "Message bus is not connected with frame"
+        );
         return;
       }
 
@@ -270,12 +302,17 @@
       this.#sendMessage(message);
     };
 
-    initFrame(config) {
+    async initFrame(config) {
-      const configFull = { ...defaultConfig, ...config };
+      const configFull = Object.assign(defaultConfig, config);
-      this.config = { ...this.config, ...configFull };
+      this.config = Object.assign(this.config, configFull);
 
       const target = document.getElementById(this.config.frameId);
 
+      this.#cspInstalled = await checkCSP(
+        this.config.src,
+        this.config.events.onAppError
+      );
+
       if (target) {
         this.#iframe = this.#createIframe(this.config);
         this.#classNames = target.className;
@@ -284,6 +321,7 @@
           target.parentNode.replaceChild(this.#iframe, target);
 
         window.addEventListener("message", this.#onMessage, false);
+
         this.#isConnected = true;
       }