fix: allow js scipts for most https origin #1236
Conversation
bytecii
requested review from
4pmtong,
Wendong-Fan,
fengju0213,
lightaime and
nitpicker55555
bytecii
changed the title
src/components/Folder/index.tsx
Outdated
| sandbox="allow-scripts allow-forms" | ||
| sandbox="allow-scripts allow-forms allow-same-origin" |
There was a problem hiding this comment.
can we remove allow-same-origin? When an iframe enables both allow-scripts and allow-same-origin, and uses srcDoc (thus sharing the same origin as the parent page), scripts inside the frame effectively gain the same privileges as the main application — allowing them to access the parent DOM, read sensitive data, and even remove the sandbox, rendering the isolation meaningless from a security perspective. check https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
There was a problem hiding this comment.
If we removed that, many demo examples will not be correctly shown.
There was a problem hiding this comment.
would using blob URL instead of srcDoc could resolve this issue?
There was a problem hiding this comment.
For this trade-off, the most efficient approach seems to be simply removing allow-same-origin. It’s mainly used for localStorage, which isn’t typically required for 3D rendering. What do you think?
@bytecii
Wendong-Fan
left a comment
Wendong-Fan
left a comment
There was a problem hiding this comment.
thanks @bytecii , I will remove allow-same-origin for now and merge this PR to move things forward first, if we have better solution we can add another enhance PR later
3 participants
Description
Sometimes eigent generates the interactive htmls but cannot render / interact usually because of we now only allow one javascript script (js from https://cdn.amplitude.com).
Now add as many as https allowlist as possible
Fixes #1233
What is the purpose of this pull request?