ha_zigbee2mqtt_networkmap icon indicating copy to clipboard operation
ha_zigbee2mqtt_networkmap copied to clipboard
verified publisher icon rgruebel

An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.

Open dh-harald opened this issue 6 years ago • 3 comments

Hi,

I'm getting this error message in javascript console. Hopefully, some security stuffs in the newer firefox (69.0.2).

Can you fix this somehow?

dh-harald avatar Oct 22 '19 09:10 dh-harald

Sorry for the late feedback. I can repoduce the problem with firefox, but I have not found a solution yet. Maybe someone else has an idea?

rgruebel avatar Jan 29 '20 13:01 rgruebel

I checked my firefox, v73 (developer edition) and I can see the message as a warning, but not as an error. As a warning, its just precautionary to let us know it can escape the sandbox.

Do you see it as an error? Do you feel this is preventing your installation from working ?

The sandbox="" attribute comes from HASS, by using the panel_iframe function. To change the attributes would require going to HASS, specifically in the file ha-panel-iframe.html As per this SO answer https://stackoverflow.com/questions/35208161/is-it-safe-to-have-sandbox-allow-scripts-allow-popups-allow-same-origin-on-if allow-same-origin is not safe to use normally.

I would suggest you bring this up with the HASS developers to remove it, or to allow the config to set which attributes are used/set on iframes; as sometimes the iframe is pointing to our own local code which we deem safe and other times it may point to 3rd party where we want protections in place.

codewise-nicolas avatar Mar 22 '20 05:03 codewise-nicolas

@codewise-nicolas
Looks like it works again with the current version. In a previous version it was an error and the map was not displayed image

rgruebel avatar Mar 29 '20 18:03 rgruebel