kunthawat/moreminimore-vibe
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Enable iframe sandbox (#1178)

Browse Source 
This allows almost all the iframe sandbox tokens
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe#sandbox
except notably for allow-top-navigation*

Note: allow-same-origin should be OK because the main window is under
the `file://` origin while the iframe window is served on
`localhost:####`

    
<!-- This is an auto-generated description by cubic. -->
---

## Summary by cubic
Enable sandboxing on the preview iframe to isolate preview content while
preserving needed capabilities (allow-same-origin, scripts, forms,
popups, modals, orientation/pointer lock, presentation, downloads).
Top-level navigation remains disallowed; allow-same-origin is safe
because the app is file:// and the iframe runs on localhost.

<!-- End of auto-generated description by cubic. -->
This commit is contained in:
Will Chen
2025-09-03 14:17:50 -07:00
committed by GitHub
parent 67c67e7bec
commit 1c0255ab12
4 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
e2e-tests/preview_iframe.spec.ts Normal file
View File

@@ -0,0 +1,10 @@
import { testSkipIfWindows } from "./helpers/test_helper";
import { expect } from "@playwright/test";
testSkipIfWindows("preview iframe has sandbox attributes", async ({ po }) => {
await po.setUp();
await po.sendPrompt("hi");
expect(
await po.getPreviewIframeElement().getAttribute("sandbox"),
).toMatchSnapshot();
});

1
e2e-tests/snapshots/preview_iframe.spec.ts_preview-iframe-has-sandbox-attributes-1.txt Normal file
View File

@@ -0,0 +1 @@
allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-downloads

4
package-lock.json generated
View File

@@ -1,12 +1,12 @@
{
"name": "dyad",
"version": "0.19.0-beta.1",
"version": "0.19.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "dyad",
"version": "0.19.0-beta.1",
"version": "0.19.0",
"license": "MIT",
"dependencies": {
"@ai-sdk/anthropic": "^2.0.4",

1
src/components/preview_panel/PreviewIframe.tsx
View File

@@ -544,6 +544,7 @@ export const PreviewIframe = ({ loading }: { loading: boolean }) => {
</div>
) : (
<iframe
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-downloads"
data-testid="preview-iframe-element"
onLoad={() => {
setErrorMessage(undefined);