From 65c41975a6dca0610c7dc4454ece9534f3636893 Mon Sep 17 00:00:00 2001
From: toasted-nutbread <toasted-nutbread@users.noreply.github.com>
Date: Mon, 22 Jun 2020 19:26:59 -0400
Subject: [PATCH] Secure popup frame url changes (#622)

* Throw error if options is not ready

* Remove id

* Change unsecurePopupFrameUrl to useSecurePopupFrameUrl
---
 ext/bg/data/options-schema.json |  6 +++---
 ext/bg/js/options.js            |  2 +-
 ext/bg/settings.html            |  2 +-
 ext/fg/js/popup.js              | 13 +++++++++----
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/ext/bg/data/options-schema.json b/ext/bg/data/options-schema.json
index 5885e036..f8791433 100644
--- a/ext/bg/data/options-schema.json
+++ b/ext/bg/data/options-schema.json
@@ -110,7 +110,7 @@
                                     "showPitchAccentPositionNotation",
                                     "showPitchAccentGraph",
                                     "showIframePopupsInRootFrame",
-                                    "unsecurePopupFrameUrl"
+                                    "useSecurePopupFrameUrl"
                                 ],
                                 "properties": {
                                     "enable": {
@@ -249,9 +249,9 @@
                                         "type": "boolean",
                                         "default": false
                                     },
-                                    "unsecurePopupFrameUrl": {
+                                    "useSecurePopupFrameUrl": {
                                         "type": "boolean",
-                                        "default": false
+                                        "default": true
                                     }
                                 }
                             },
diff --git a/ext/bg/js/options.js b/ext/bg/js/options.js
index 170e4799..151c945b 100644
--- a/ext/bg/js/options.js
+++ b/ext/bg/js/options.js
@@ -177,7 +177,7 @@ function profileOptionsCreateDefaults() {
             showPitchAccentPositionNotation: true,
             showPitchAccentGraph: false,
             showIframePopupsInRootFrame: false,
-            unsecurePopupFrameUrl: false
+            useSecurePopupFrameUrl: true
         },
 
         audio: {
diff --git a/ext/bg/settings.html b/ext/bg/settings.html
index 77b61aef..4de70b7e 100644
--- a/ext/bg/settings.html
+++ b/ext/bg/settings.html
@@ -183,7 +183,7 @@
                 </div>
 
                 <div class="checkbox options-advanced">
-                    <label><input type="checkbox" id="show-iframe-popups-in-root-frame" data-setting="general.unsecurePopupFrameUrl"> Use unsecure popup frame URL</label>
+                    <label><input type="checkbox" data-setting="general.useSecurePopupFrameUrl"> Use secure popup frame URL</label>
                 </div>
 
                 <div class="checkbox options-advanced">
diff --git a/ext/fg/js/popup.js b/ext/fg/js/popup.js
index 4394a965..3b14d3d0 100644
--- a/ext/fg/js/popup.js
+++ b/ext/fg/js/popup.js
@@ -326,19 +326,24 @@ class Popup {
     }
 
     async _createInjectPromise() {
+        if (this._options === null) {
+            throw new Error('Options not initialized');
+        }
+
+        const {useSecurePopupFrameUrl} = this._options.general;
+
         this._injectStyles();
 
-        const unsecurePopupFrameUrl = (this._options !== null && this._options.general.unsecurePopupFrameUrl);
         const {secret, token} = await this._initializeFrame(this._frame, this._targetOrigin, this._frameId, (frame) => {
             frame.removeAttribute('src');
             frame.removeAttribute('srcdoc');
             this._observeFullscreen(true);
             this._onFullscreenChanged();
             const url = chrome.runtime.getURL('/fg/float.html');
-            if (unsecurePopupFrameUrl) {
-                frame.setAttribute('src', url);
-            } else {
+            if (useSecurePopupFrameUrl) {
                 frame.contentDocument.location.href = url;
+            } else {
+                frame.setAttribute('src', url);
             }
         });
         this._frameSecret = secret;