Merge pull request #5628 from nathan-muir/oauth-browser-policy

OAuth - remove inline javascript from popup/redirect logins

packages/oauth/end_of_popup_response.html

@@ -1,51 +1,11 @@
 <html>
-<head>
-<script type="text/javascript">
-
-function storeAndClose() {
-
-  var config = JSON.parse(document.getElementById("config").innerHTML);
-
-  if (config.setCredentialToken) {
-    var credentialToken = config.credentialToken;
-    var credentialSecret = config.credentialSecret;
-
-    if (config.isCordova) {
-      var credentialString = JSON.stringify({
-        credentialToken: credentialToken,
-        credentialSecret: credentialSecret
-      });
-
-      window.location.hash = credentialString;
-    }
-
-    if (window.opener && window.opener.Package &&
-          window.opener.Package.oauth) {
-      window.opener.Package.oauth.OAuth._handleCredentialSecret(
-        credentialToken, credentialSecret);
-    } else {
-      try {
-        localStorage[config.storagePrefix + credentialToken] = credentialSecret;
-      } catch (err) {
-        // We can't do much else, but at least close the popup instead
-        // of having it hang around on a blank page.
-      }
-    }
-  }
-
-  if (! config.isCordova) {
-    document.getElementById("completedText").style.display = "block";
-    window.close();
-  }
-}
-</script>
-</head>
-<body onload="storeAndClose()">
+<body>
   <p id="completedText" style="display:none;">
-    Login completed. <a href="#" onclick="window.close()">
+    Login completed. <a href="#" id="loginCompleted">
       Click here</a> to close this window.
   </p>
 
   <div id="config" style="display:none;">##CONFIG##</div>
+  <script type="text/javascript" src="/packages/oauth/end_of_popup_response.js"></script>
 </body>
 </html>

packages/oauth/end_of_popup_response.js

@@ -0,0 +1,37 @@
+(function () {
+
+  var config = JSON.parse(document.getElementById("config").innerHTML);
+
+  if (config.setCredentialToken) {
+    var credentialToken = config.credentialToken;
+    var credentialSecret = config.credentialSecret;
+
+    if (config.isCordova) {
+      var credentialString = JSON.stringify({
+        credentialToken: credentialToken,
+        credentialSecret: credentialSecret
+      });
+
+      window.location.hash = credentialString;
+    }
+
+    if (window.opener && window.opener.Package &&
+          window.opener.Package.oauth) {
+      window.opener.Package.oauth.OAuth._handleCredentialSecret(
+        credentialToken, credentialSecret);
+    } else {
+      try {
+        localStorage[config.storagePrefix + credentialToken] = credentialSecret;
+      } catch (err) {
+        // We can't do much else, but at least close the popup instead
+        // of having it hang around on a blank page.
+      }
+    }
+  }
+
+  if (! config.isCordova) {
+    document.getElementById("completedText").style.display = "block";
+    document.getElementById("loginCompleted").onclick = function(){ window.close(); };
+    window.close();
+  }
+})();

packages/oauth/end_of_redirect_response.html

@@ -1,23 +1,6 @@
 <html>
-<head>
-<script type="text/javascript">
-
-  function storeAndRedirect () {
-
-    var config = JSON.parse(document.getElementById("config").innerHTML);
-
-    if (config.setCredentialToken) {
-      sessionStorage[config.storagePrefix + config.credentialToken] =
-      config.credentialSecret;
-    }
-
-    window.location = config.redirectUrl;
-
-  };
-
-</script>
-</head>
-<body onload="storeAndRedirect()">
+<body>
   <div id="config" style="display:none;">##CONFIG##</div>
+  <script type="text/javascript" src="/packages/oauth/end_of_redirect_response.js"></script>
 </body>
 </html>

packages/oauth/end_of_redirect_response.js

@@ -0,0 +1,12 @@
+(function () {
+
+  var config = JSON.parse(document.getElementById("config").innerHTML);
+
+  if (config.setCredentialToken) {
+    sessionStorage[config.storagePrefix + config.credentialToken] =
+    config.credentialSecret;
+  }
+
+  window.location = config.redirectUrl;
+
+})();

packages/oauth/package.js

@@ -35,6 +35,11 @@ Package.onUse(function (api) {
     'end_of_redirect_response.html'
   ], 'server');
 
+  api.addAssets([
+    'end_of_popup_response.js',
+    'end_of_redirect_response.js'
+  ], 'client');
+
   api.addFiles('oauth_common.js');
 
   // XXX COMPAT WITH 0.8.0