From d7e3ae607655f51581981f1ea31f2d64f6d169d0 Mon Sep 17 00:00:00 2001
From: ScreenTinker <hello@screentinker.com>
Date: Sat, 30 May 2026 13:14:31 -0500
Subject: [PATCH] security(widgets): tighten webpage widget inner sandbox

The webpage widget's inner iframe previously declared
sandbox="allow-scripts allow-same-origin", which was
functionally stripped to "allow-scripts" by the outer
iframe sandbox added in fe36c8c. This commit makes the
declared sandbox match the actual effective behavior.

Closes the remaining piece of issue #8.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 server/routes/widgets.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/routes/widgets.js b/server/routes/widgets.js
index fddf89f..b3f6d9d 100644
--- a/server/routes/widgets.js
+++ b/server/routes/widgets.js
@@ -287,7 +287,7 @@ function renderWebpage(c) {
   * { margin:0; } body { height:100vh; overflow:hidden; }
   iframe { width:${invZoom}%; height:${invZoom}%; border:0; transform:scale(${zoom}); transform-origin:0 0; }
 </style></head><body>
-<iframe src="${escapeHtml(safeUrl(c.url))}" sandbox="allow-scripts allow-same-origin"></iframe>
+<iframe src="${escapeHtml(safeUrl(c.url))}" sandbox="allow-scripts"></iframe>
 ${c.refresh_interval > 0 ? `<script>setInterval(()=>document.querySelector('iframe').src=document.querySelector('iframe').src,${c.refresh_interval * 1000});</script>` : ''}
 </body></html>`;
 }