Closed r-n-o closed 4 months ago
r-n-o
commented
4 months ago It turns out allow-same-origin is also needed! Great answer explaining why at https://stackoverflow.com/questions/41067069/javascript-errors-localstorage-cookie-loading-sandboxed-iframe-within-chrome
codesandbox-ci[bot]
commented
4 months ago This pull request is automatically built and testable in CodeSandbox.
To see build info of the built libraries, click here or the icon next to each commit SHA.
r-n-o
commented
4 months ago one note, it looks like the iframe-stamper version just had a major version bump to
2.x.x-- are there any breaking changes in that where this attribute change might get blocked by supporting that? Feel free to ignore and merge if it's not an issue.
No issue that I know of, the extra sandbox attribute shouldn't affect the package API or behavior at all, it's just there as a defense-in-depth measure in case the page and code served at the target URL starts attempting to do things we don't expect (e.g. display popups, take over navigation).
Summary & Motivation
This branch adds a new
sandboxattribute to the<iframe>element inserted by our iframe stamper. This is a conservative measure taken for security reasons: we do not need most privileges (popups, form submission, top-level page navigation, and so on). Defense in depth!How I Tested These Changes
Tested this locally with the import/export demo since they're our most complex iframes: everything works as expected!
Did you add a changeset?
Yes!