tachibana-shin
commented
6 months ago Instead of using the document.write api which has been removed by Google, we can use service worker to thoroughly handle this.
Open hatemhosny opened 6 months ago
tachibana-shin
commented
6 months ago Instead of using the document.write api which has been removed by Google, we can use service worker to thoroughly handle this.
hatemhosny
commented
6 months ago Thank you @tachibana-shin for drawing my attention to this. I did find what you refer to: https://developer.chrome.com/blog/removing-document-write However, I believe this does not apply to our case:
Specifically Chrome will not execute the Githubissues.
Githubissues is a development platform for aggregating issues.
hello, Thanks for the great project. I used it as a base for Vue support on my project (LiveCodes - an open-source client-side code playground for 80+ frameworks/languages). https://livecodes.io/?template=vue
I noticed that the result page of the repl is displayed in a sandboxed iframe. However, the code is sent to the iframe by setting
srcdoc. This does not set a different origin for the iframe.For example, if I run this in the repl, it works!
If we are able to access the repl parent (embedding pages on user websites), then we can read cookies, localStorage and all sorts of bad things. I think this is a major security concern.
I suggest to set the
iframe.srcto a page on a different origin and then send the html usingpostMessage. This is an example repo, where I added a simple webpage that can be set asiframe.srcand would accept the HTML sent to it from its parent anddocument.writes it to itself. I published that to npm so that it can be hosted (with versions) on CDNs. It can be used as this URL: https://unpkg.com/@live-codes/playground-sandbox@1.0.0/index.html.That was just an example. However, if you agree with that, I would be happy to send a PR for this change.