From 0d342ad3f403f6c01ecd679e2faa57514faa6495 Mon Sep 17 00:00:00 2001 From: aashu2006 Date: Thu, 5 Feb 2026 01:35:51 +0530 Subject: [PATCH 1/2] Harden embed preview iframe with sandbox restrictions --- client/modules/Preview/EmbedFrame.jsx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/client/modules/Preview/EmbedFrame.jsx b/client/modules/Preview/EmbedFrame.jsx index 2b6ac16720..dc17dc9602 100644 --- a/client/modules/Preview/EmbedFrame.jsx +++ b/client/modules/Preview/EmbedFrame.jsx @@ -262,6 +262,9 @@ function EmbedFrame({ files, isPlaying, basePath, gridOutput, textOutput }) { const htmlFile = useMemo(() => getHtmlFile(files), [files]); const srcRef = useRef(); + const sandboxAttributes = + 'allow-forms allow-modals allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation-by-user-activation allow-downloads'; + useEffect(() => { const unsubscribe = registerFrame( iframe.current.contentWindow, @@ -306,6 +309,8 @@ function EmbedFrame({ files, isPlaying, basePath, gridOutput, textOutput }) { role="main" frameBorder="0" ref={iframe} + sandbox={sandboxAttributes} + allow="accelerometer; ambient-light-sensor; autoplay; bluetooth; camera; encrypted-media; geolocation; gyroscope; hid; microphone; magnetometer; midi; payment; usb; serial; vr; xr-spatial-tracking" /> ); } From b9e40682dd3dc518570ae3aedf9644f647f623fb Mon Sep 17 00:00:00 2001 From: aashu2006 Date: Thu, 5 Feb 2026 01:51:26 +0530 Subject: [PATCH 2/2] Fix formatting to satisfy Prettier --- client/modules/Preview/EmbedFrame.jsx | 32 ++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/client/modules/Preview/EmbedFrame.jsx b/client/modules/Preview/EmbedFrame.jsx index dc17dc9602..ed386dec7d 100644 --- a/client/modules/Preview/EmbedFrame.jsx +++ b/client/modules/Preview/EmbedFrame.jsx @@ -262,8 +262,16 @@ function EmbedFrame({ files, isPlaying, basePath, gridOutput, textOutput }) { const htmlFile = useMemo(() => getHtmlFile(files), [files]); const srcRef = useRef(); - const sandboxAttributes = - 'allow-forms allow-modals allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation-by-user-activation allow-downloads'; + const sandboxAttributes = [ + 'allow-forms', + 'allow-modals', + 'allow-pointer-lock', + 'allow-popups', + 'allow-same-origin', + 'allow-scripts', + 'allow-top-navigation-by-user-activation', + 'allow-downloads' + ].join(' '); useEffect(() => { const unsubscribe = registerFrame( @@ -310,7 +318,25 @@ function EmbedFrame({ files, isPlaying, basePath, gridOutput, textOutput }) { frameBorder="0" ref={iframe} sandbox={sandboxAttributes} - allow="accelerometer; ambient-light-sensor; autoplay; bluetooth; camera; encrypted-media; geolocation; gyroscope; hid; microphone; magnetometer; midi; payment; usb; serial; vr; xr-spatial-tracking" + allow={[ + 'accelerometer', + 'ambient-light-sensor', + 'autoplay', + 'bluetooth', + 'camera', + 'encrypted-media', + 'geolocation', + 'gyroscope', + 'hid', + 'microphone', + 'magnetometer', + 'midi', + 'payment', + 'usb', + 'serial', + 'vr', + 'xr-spatial-tracking' + ].join('; ')} /> ); }