From 596786cd58c24abe512c93f6b260801494e168c8 Mon Sep 17 00:00:00 2001
From: Jaco Greeff <jacogr@gmail.com>
Date: Fri, 16 Feb 2018 10:38:28 +0100
Subject: [PATCH 1/3] [beta] Wallet allowJsEval: true

---
 js-old/src/manifest.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/js-old/src/manifest.json b/js-old/src/manifest.json
index 0fc9b44f368..dd9bc7abbfa 100644
--- a/js-old/src/manifest.json
+++ b/js-old/src/manifest.json
@@ -4,4 +4,5 @@
   "author": "Parity <admin@parity.io>",
   "description": "Parity Wallet and Account management tools",
   "iconUrl": "icon.png",
+  "allowJsEval": true
 }

From f184577cfa4ddeb6457c96e80955294b1aeb61a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Drwi=C4=99ga?= <tomasz@parity.io>
Date: Fri, 16 Feb 2018 11:39:06 +0100
Subject: [PATCH 2/3] Fix unsafe wallet.

---
 dapps/src/apps/mod.rs     | 18 ++++++++++++------
 dapps/src/page/builtin.rs | 14 ++++++++------
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/dapps/src/apps/mod.rs b/dapps/src/apps/mod.rs
index e7657736d18..0ee5b308fd2 100644
--- a/dapps/src/apps/mod.rs
+++ b/dapps/src/apps/mod.rs
@@ -44,7 +44,7 @@ pub const WEB_PATH: &'static str = "web";
 pub const URL_REFERER: &'static str = "__referer=";
 
 pub fn utils(pool: CpuPool) -> Box<Endpoint> {
-	Box::new(page::builtin::Dapp::new(pool, parity_ui::App::default()))
+	Box::new(page::builtin::Dapp::new(pool, false, parity_ui::App::default()))
 }
 
 pub fn ui(pool: CpuPool) -> Box<Endpoint> {
@@ -76,9 +76,9 @@ pub fn all_endpoints<F: Fetch>(
 	}
 
 	// NOTE [ToDr] Dapps will be currently embeded on 8180
-	insert::<parity_ui::App>(&mut pages, "ui", Embeddable::Yes(embeddable.clone()), pool.clone());
+	insert::<parity_ui::App>(&mut pages, "ui", Embeddable::Yes(embeddable.clone()), pool.clone(), false);
 	// old version
-	insert::<parity_ui::old::App>(&mut pages, "v1", Embeddable::Yes(embeddable.clone()), pool.clone());
+	insert::<parity_ui::old::App>(&mut pages, "v1", Embeddable::Yes(embeddable.clone()), pool.clone(), true);
 
 	pages.insert("proxy".into(), ProxyPac::boxed(embeddable.clone(), dapps_domain.to_owned()));
 	pages.insert(WEB_PATH.into(), Web::boxed(embeddable.clone(), web_proxy_tokens.clone(), fetch.clone()));
@@ -86,10 +86,16 @@ pub fn all_endpoints<F: Fetch>(
 	(local_endpoints, pages)
 }
 
-fn insert<T : WebApp + Default + 'static>(pages: &mut Endpoints, id: &str, embed_at: Embeddable, pool: CpuPool) {
+fn insert<T : WebApp + Default + 'static>(
+	pages: &mut Endpoints,
+	id: &str,
+	embed_at: Embeddable,
+	pool: CpuPool,
+	allow_js_eval: bool,
+) {
 	pages.insert(id.to_owned(), Box::new(match embed_at {
-		Embeddable::Yes(address) => page::builtin::Dapp::new_safe_to_embed(pool, T::default(), address),
-		Embeddable::No => page::builtin::Dapp::new(pool, T::default()),
+		Embeddable::Yes(address) => page::builtin::Dapp::new_safe_to_embed(pool, allow_js_eval, T::default(), address),
+		Embeddable::No => page::builtin::Dapp::new(pool, allow_js_eval, T::default()),
 	}));
 }
 
diff --git a/dapps/src/page/builtin.rs b/dapps/src/page/builtin.rs
index 827fe27a3b4..ff1ee97b3d0 100644
--- a/dapps/src/page/builtin.rs
+++ b/dapps/src/page/builtin.rs
@@ -38,13 +38,14 @@ pub struct Dapp<T: WebApp + 'static> {
 
 impl<T: WebApp + 'static> Dapp<T> {
 	/// Creates new `Dapp` for builtin (compile time) Dapp.
-	pub fn new(pool: CpuPool, app: T) -> Self {
-		let info = app.info();
+	pub fn new(pool: CpuPool, allow_js_eval: bool, app: T) -> Self {
+		let mut info = EndpointInfo::from(app.info());
+		info.allow_js_eval = Some(allow_js_eval);
 		Dapp {
 			pool,
 			app,
 			safe_to_embed_on: None,
-			info: EndpointInfo::from(info),
+			info,
 			fallback_to_index_html: false,
 		}
 	}
@@ -65,13 +66,14 @@ impl<T: WebApp + 'static> Dapp<T> {
 	/// Creates new `Dapp` which can be safely used in iframe
 	/// even from different origin. It might be dangerous (clickjacking).
 	/// Use wisely!
-	pub fn new_safe_to_embed(pool: CpuPool, app: T, address: Embeddable) -> Self {
-		let info = app.info();
+	pub fn new_safe_to_embed(pool: CpuPool, allow_js_eval: bool, app: T, address: Embeddable) -> Self {
+		let mut info = EndpointInfo::from(app.info());
+		info.allow_js_eval = Some(allow_js_eval);
 		Dapp {
 			pool,
 			app,
 			safe_to_embed_on: address,
-			info: EndpointInfo::from(info),
+			info,
 			fallback_to_index_html: false,
 		}
 	}

From 1fefc67fff3d31ed314be895a85d318f4bc21f3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Drwi=C4=99ga?= <tomasz@parity.io>
Date: Fri, 16 Feb 2018 12:11:21 +0100
Subject: [PATCH 3/3] Enable unsafe-eval for all dapps.

---
 dapps/src/apps/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dapps/src/apps/mod.rs b/dapps/src/apps/mod.rs
index 0ee5b308fd2..79a8e706d34 100644
--- a/dapps/src/apps/mod.rs
+++ b/dapps/src/apps/mod.rs
@@ -76,7 +76,7 @@ pub fn all_endpoints<F: Fetch>(
 	}
 
 	// NOTE [ToDr] Dapps will be currently embeded on 8180
-	insert::<parity_ui::App>(&mut pages, "ui", Embeddable::Yes(embeddable.clone()), pool.clone(), false);
+	insert::<parity_ui::App>(&mut pages, "ui", Embeddable::Yes(embeddable.clone()), pool.clone(), true);
 	// old version
 	insert::<parity_ui::old::App>(&mut pages, "v1", Embeddable::Yes(embeddable.clone()), pool.clone(), true);