From b22c1d942374014e0d50e5429c3f89cc1ca18173 Mon Sep 17 00:00:00 2001
From: "Guillaume (gdi)" <gdi@odoo.com>
Date: Fri, 23 Jun 2023 13:07:45 +0000
Subject: [PATCH] [FIX] web: prevent traceback in edit mode with embedded video

Since [this other commit], initializing the color picker could trigger a
traceback. The traceback was due to the fact that for users to be able
to drag/move the color picker as they wished across different frames, we
needed access to the document of all the frames on the page.
Unfortunately, if one of these frames was not of the same origin, a
traceback was displayed. This commit corrects how we collect documents
from frames on the page, by only taking those whose document we have the
right to see (which do not raise a cross origin error). I didn't succeed
to reproduce the bug locally, but I got it on the runbot with theme
Nursery / Kiddo by dropping the block banner on the page, the error
appears because the block contains a vimeo video. In fact, you just need
to have embedded content (youtube / vimeo / ... video for example) start
edit mode, click on the block containing the video and the error is
displayed.

[this other commit]: https://github.com/odoo/odoo/commit/63bf363d302fe9f93a824fa6f1ff3bbe21f98088

runbot-22573

closes odoo/odoo#126310

X-original-commit: 8ff33c758f56fb917165b4aa0ea70ae775a6d321
Signed-off-by: Quentin Smetz (qsm) <qsm@odoo.com>
---
 addons/web/static/src/legacy/js/widgets/colorpicker.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/addons/web/static/src/legacy/js/widgets/colorpicker.js b/addons/web/static/src/legacy/js/widgets/colorpicker.js
index e071750d0bc1..b5c57afa6fcc 100644
--- a/addons/web/static/src/legacy/js/widgets/colorpicker.js
+++ b/addons/web/static/src/legacy/js/widgets/colorpicker.js
@@ -43,7 +43,15 @@ var ColorpickerWidget = Widget.extend({
         // anywhere on the screen, crossing iframes).
         // TODO adapt in master: these events should probably be bound in
         // `start` instead of `init` (at least to be more conventional).
-        this.$documents = $([window.top, ...Array.from(window.top.frames)].map(w => w.document));
+        this.$documents = $([window.top, ...Array.from(window.top.frames).filter(frame => {
+            try {
+                const document = frame.document;
+                return !!document;
+            } catch {
+                // We cannot access the document (cross origin).
+                return false;
+            }
+        })].map(w => w.document));
         this.$documents.on(`mousemove.${this.uniqueId}`, _.throttle((ev) => {
             this._onMouseMovePicker(ev);
             this._onMouseMoveSlider(ev);
-- 
GitLab