mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-15 10:43:36 -06:00
fe36c8c4b9
Addresses the primary finding from the May 27 security report (issue #8): the admin widget preview modal (frontend/js/views/widgets.js) and the web player widget renderer (server/player/index.html, 2 sites) loaded user-authored widget HTML into unsandboxed iframes. Same-origin scripts in the widget content could access window.parent.localStorage and exfiltrate the JWT. sandbox="allow-scripts" without allow-same-origin sandboxes the widget into a unique origin: inline scripts (clock, RSS, weather widgets) continue to work, but parent-origin access and same-origin requests are blocked. Verified via Playwright probe against all 6 widget types in the dev DB (clock, rss, social, text, weather, webpage): each renders correctly under the new sandbox and contentDocument access from the parent is blocked (opaque-origin enforcement working). Admin preview unchanged in appearance; player display unchanged. Webpage widget (server/routes/widgets.js) sandbox tightening (drop allow-same-origin) is a separate forthcoming commit - needs test against real embed URLs since some sites rely on same-origin behavior. The sandbox-attribute intersection rule means today's outer-iframe sandbox will cascade and strip allow-same-origin from the webpage widget's inner iframe too; accepted as a narrow cosmetic regression (cookies/localStorage stripped for embedded sites) until the deliberate inner-iframe handling ships. SECURITY.md added with reporting process (GitHub Security Advisories primary, support@bytetinker.net fallback) and scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| debug-overlay.js | ||
| index.html | ||
| sw.js | ||