search

sveltejs / sites

Monorepo for the sites in the Svelte ecosystem
https://svelte.dev
MIT License
291 stars 123 forks source link

indexedDb and localStorage calls not allowed #158

Closed kuhlaid closed 1 day ago

kuhlaid commented 4 years ago

Can the 'allow-same-origin' be available in the https://svelte.dev/repl? I'm not sure where the 'relaxed' boolean ever gets set to true to include the 'allow-same-origin'. https://github.com/sveltejs/svelte-repl/blob/84c3c8dcdca48f64dedd8a1af8b99a0dc1ab15a9/src/Output/Viewer.svelte#L239

The reason I ask is because without 'allow-same-origin' in this line, there is no way to perform basic indexedDb and localStorage calls within the REPL (see https://svelte.dev/repl/569c0a7b1bcb416d939c9de58f57a307?version=3.22.2 as an example).

I tested this code locally and by simply removing the 'relaxed' statement and including 'allow-same-origin':

sandbox="allow-popups-to-escape-sandbox allow-scripts allow-popups allow-forms allow-pointer-lock allow-top-navigation allow-modals allow-same-origin"

After this change I was able to interact with indexedDb and localStorage from within the REPL. This would be helpful so developers can test browser storage Svelte examples in the REPL.

Conduitry commented 4 years ago

relaxed is set to true when displaying any of the built-in example, tutorial, or blog post REPLs. Enabling allow-same-origin unconditionally is not an option, as it would permit malicious REPLs to steal credentials. Having some sort of toggle button for the user to opt in to reduced security when viewing a REPL has been discussed, but I don't remember whether there's a specific issue for it anywhere.

kuhlaid commented 4 years ago

Fair enough. Is there some other configuration change that would allow for use of indexedDb and localStorage within the REPLs? I know browser database connections are allowed in REPL.it, but they may be less security conscious. I feel Svelte is a pretty powerful tool when paired with local storage and as such I would like to be able to post working examples through the Svelte REPL (where others can play with the code without setting up their own environment). I want to see Svelte thrive as it is favorite client-side framework of mine.

louislouw commented 2 years ago

Not sure if it would be possible to replace these objects with mock versions that either keeps data in memory, or limits scope of access to localStorage by prefixing keys with a random string? This will likely pose no security threat.

benmccann commented 1 day ago

closing since the site has been rewritten. please file at https://github.com/sveltejs/svelte.dev/issues/new if the issue persists