From 1c0255ab126d3b38ae9e78b17cdab9a07e5f0185 Mon Sep 17 00:00:00 2001
From: Will Chen <willchen90@gmail.com>
Date: Wed, 3 Sep 2025 14:17:50 -0700
Subject: [PATCH] Enable iframe sandbox (#1178)

This allows almost all the iframe sandbox tokens
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe#sandbox
except notably for allow-top-navigation*

Note: allow-same-origin should be OK because the main window is under
the `file://` origin while the iframe window is served on
`localhost:####`


<!-- This is an auto-generated description by cubic. -->
---

## Summary by cubic
Enable sandboxing on the preview iframe to isolate preview content while
preserving needed capabilities (allow-same-origin, scripts, forms,
popups, modals, orientation/pointer lock, presentation, downloads).
Top-level navigation remains disallowed; allow-same-origin is safe
because the app is file:// and the iframe runs on localhost.

<!-- End of auto-generated description by cubic. -->
---
 e2e-tests/preview_iframe.spec.ts                       | 10 ++++++++++
 ...spec.ts_preview-iframe-has-sandbox-attributes-1.txt |  1 +
 package-lock.json                                      |  4 ++--
 src/components/preview_panel/PreviewIframe.tsx         |  1 +
 4 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 e2e-tests/preview_iframe.spec.ts
 create mode 100644 e2e-tests/snapshots/preview_iframe.spec.ts_preview-iframe-has-sandbox-attributes-1.txt

diff --git a/e2e-tests/preview_iframe.spec.ts b/e2e-tests/preview_iframe.spec.ts
new file mode 100644
index 0000000..d1b7722
--- /dev/null
+++ b/e2e-tests/preview_iframe.spec.ts
@@ -0,0 +1,10 @@
+import { testSkipIfWindows } from "./helpers/test_helper";
+import { expect } from "@playwright/test";
+
+testSkipIfWindows("preview iframe has sandbox attributes", async ({ po }) => {
+  await po.setUp();
+  await po.sendPrompt("hi");
+  expect(
+    await po.getPreviewIframeElement().getAttribute("sandbox"),
+  ).toMatchSnapshot();
+});
diff --git a/e2e-tests/snapshots/preview_iframe.spec.ts_preview-iframe-has-sandbox-attributes-1.txt b/e2e-tests/snapshots/preview_iframe.spec.ts_preview-iframe-has-sandbox-attributes-1.txt
new file mode 100644
index 0000000..18ab75c
--- /dev/null
+++ b/e2e-tests/snapshots/preview_iframe.spec.ts_preview-iframe-has-sandbox-attributes-1.txt
@@ -0,0 +1 @@
+allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-downloads
\ No newline at end of file
diff --git a/package-lock.json b/package-lock.json
index 10efcb0..b417a2e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "dyad",
-  "version": "0.19.0-beta.1",
+  "version": "0.19.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "dyad",
-      "version": "0.19.0-beta.1",
+      "version": "0.19.0",
       "license": "MIT",
       "dependencies": {
         "@ai-sdk/anthropic": "^2.0.4",
diff --git a/src/components/preview_panel/PreviewIframe.tsx b/src/components/preview_panel/PreviewIframe.tsx
index 9f3eb4a..2edf974 100644
--- a/src/components/preview_panel/PreviewIframe.tsx
+++ b/src/components/preview_panel/PreviewIframe.tsx
@@ -544,6 +544,7 @@ export const PreviewIframe = ({ loading }: { loading: boolean }) => {
           </div>
         ) : (
           <iframe
+            sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-downloads"
             data-testid="preview-iframe-element"
             onLoad={() => {
               setErrorMessage(undefined);