mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-18 20:22:42 -06:00
fe36c8c4b9
Addresses the primary finding from the May 27 security report (issue #8): the admin widget preview modal (frontend/js/views/widgets.js) and the web player widget renderer (server/player/index.html, 2 sites) loaded user-authored widget HTML into unsandboxed iframes. Same-origin scripts in the widget content could access window.parent.localStorage and exfiltrate the JWT. sandbox="allow-scripts" without allow-same-origin sandboxes the widget into a unique origin: inline scripts (clock, RSS, weather widgets) continue to work, but parent-origin access and same-origin requests are blocked. Verified via Playwright probe against all 6 widget types in the dev DB (clock, rss, social, text, weather, webpage): each renders correctly under the new sandbox and contentDocument access from the parent is blocked (opaque-origin enforcement working). Admin preview unchanged in appearance; player display unchanged. Webpage widget (server/routes/widgets.js) sandbox tightening (drop allow-same-origin) is a separate forthcoming commit - needs test against real embed URLs since some sites rely on same-origin behavior. The sandbox-attribute intersection rule means today's outer-iframe sandbox will cascade and strip allow-same-origin from the webpage widget's inner iframe too; accepted as a narrow cosmetic regression (cookies/localStorage stripped for embedded sites) until the deliberate inner-iframe handling ships. SECURITY.md added with reporting process (GitHub Security Advisories primary, support@bytetinker.net fallback) and scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| config | ||
| db | ||
| lib | ||
| middleware | ||
| player | ||
| routes | ||
| services | ||
| ws | ||
| .gitignore | ||
| config.js | ||
| package-lock.json | ||
| package.json | ||
| server.js | ||