files_mindmap icon indicating copy to clipboard operation
files_mindmap copied to clipboard

Published 20 hours ago verified publisher icon ACTom

Remove pseudo sandbox

Open DennisNikolay opened this issue 1 year ago • 2 comments

The iframe containing the mindmap is sandboxed, but this sandbox does not provide any additional security because it uses allow-scripts and allow-same-origin at the same time so that any script within the iframe could just remove the sandbox attribute.

Source: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow-top-navigation-to-custom-protocols

When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.

This pull request removes the sandbox attribute, solving the following issue https://github.com/ACTom/files_mindmap/issues/165 without decreasing security as there is no security benefit of the sandbox in the first place.

DennisNikolay avatar Jan 10 '24 19:01 DennisNikolay

Please, can any developer at least comment on this pull request? Thank you! <3

ardarandir avatar Jan 24 '24 11:01 ardarandir

@ACTom: Is there any other use case for the sandbox?

DennisNikolay avatar Mar 17 '24 10:03 DennisNikolay