Support iframe sandbox attribute ... #4340
Comments
|
Are you asking how to set a CSP on your own deployment? |
no. When embedding drawio in an iframe I want to use a minimal set of sandbox attributes. I mainly don't want to grant THX |
|
We have reasons for how we configure our own deployment. If you need something different simply create your own deployment. |
|
It is not about the deployment. Even if I run my own deployment of drawio I can still not iframe it with the desired iframe sandbox. Unless I miss anything. THX a lot |
|
Should work in 24.3.1 |
|
Thx a lot. I will test this asap! |
|
I am sorry to say - but this is not fixed ... let me know if you need any further support - thx
|
|
@davidjgraph can you please reopen this issue? |
|
@davidjgraph is there any fix? Shall I retest anything? |
|
Should work now. |
|
Looks like it is working now - THX @davidjgraph @alderg |
Is your feature request related to a problem? Please describe.
From a security perspective a iframes should use sandbox attributes to limit attack vectors and jail an application inside an iframe.
It should be enough to load drawio in an iframe with sandbox="allow-scripts" but drawio tries to access the parent document.
Access to document.cookie
This can be worked around by specifying the urlParam
mode=fooAccess to Navigator.serviceWorker
I could not find a workaround to this - no idea if it is even possible to run without the service worker
Describe the solution you'd like
drawio should not try to break out of the iframe - at least workarounds should be documented.
Describe alternatives you've considered
See above
The text was updated successfully, but these errors were encountered: