From b4e9ca5c84ee18ab38709aaedd067c13a3a7c855 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?=
 <1005065+DeepDiver1975@users.noreply.github.com>
Date: Thu, 4 Apr 2024 09:33:48 +0200
Subject: [PATCH] fix: apply sandbox attribute to OnlyOffice/Collabora iframe

---
 changelog/unreleased/iframe-sandbox-drawio.md                | 2 +-
 changelog/unreleased/iframe-sandbox-external.md              | 5 +++++
 packages/web-app-external/src/App.vue                        | 2 ++
 .../tests/unit/__snapshots__/app.spec.ts.snap                | 4 ++--
 4 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 changelog/unreleased/iframe-sandbox-external.md

diff --git a/changelog/unreleased/iframe-sandbox-drawio.md b/changelog/unreleased/iframe-sandbox-drawio.md
index 29641578093..11cfa3bbfd0 100644
--- a/changelog/unreleased/iframe-sandbox-drawio.md
+++ b/changelog/unreleased/iframe-sandbox-drawio.md
@@ -1,5 +1,5 @@
 Bugfix: Apply sandbox attribute to iframe in draw-io extension
 
-General hardening of ownCloud Web
+General hardening of ownCloud Web integration with draw.io
 
 https://github.com/owncloud/web/pull/10702
diff --git a/changelog/unreleased/iframe-sandbox-external.md b/changelog/unreleased/iframe-sandbox-external.md
new file mode 100644
index 00000000000..05c839f94fe
--- /dev/null
+++ b/changelog/unreleased/iframe-sandbox-external.md
@@ -0,0 +1,5 @@
+Bugfix: Apply sandbox attribute to iframe in app-external extension
+
+General hardening of ownCloud Web integration with OnlyOffice/Collabora
+
+https://github.com/owncloud/web/pull/10706
diff --git a/packages/web-app-external/src/App.vue b/packages/web-app-external/src/App.vue
index cb58bab7bf8..a68e5bb7ff2 100644
--- a/packages/web-app-external/src/App.vue
+++ b/packages/web-app-external/src/App.vue
@@ -5,6 +5,7 @@
     class="oc-width-1-1 oc-height-1-1"
     :title="iFrameTitle"
     allowfullscreen
+    sandbox="allow-scripts allow-same-origin"
   />
   <div v-if="appUrl && method === 'POST' && formParameters" class="oc-height-1-1 oc-width-1-1">
     <form :action="appUrl" target="app-iframe" method="post">
@@ -18,6 +19,7 @@
       class="oc-width-1-1 oc-height-1-1"
       :title="iFrameTitle"
       allowfullscreen
+      sandbox="allow-scripts allow-same-origin"
     />
   </div>
 </template>
diff --git a/packages/web-app-external/tests/unit/__snapshots__/app.spec.ts.snap b/packages/web-app-external/tests/unit/__snapshots__/app.spec.ts.snap
index a48e2a508e9..e951c711875 100644
--- a/packages/web-app-external/tests/unit/__snapshots__/app.spec.ts.snap
+++ b/packages/web-app-external/tests/unit/__snapshots__/app.spec.ts.snap
@@ -1,7 +1,7 @@
 // Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
 
 exports[`The app provider extension > should be able to load an iFrame via get 1`] = `
-"<iframe src="https://example.test/d12ab86/loe009157-MzBw" class="oc-width-1-1 oc-height-1-1" title="" example-app" app content area" allowfullscreen=""></iframe>
+"<iframe src="https://example.test/d12ab86/loe009157-MzBw" class="oc-width-1-1 oc-height-1-1" title="" example-app" app content area" allowfullscreen="" sandbox="allow-scripts allow-same-origin"></iframe>
 
 <!--v-if-->"
 `;
@@ -13,7 +13,7 @@ exports[`The app provider extension > should be able to load an iFrame via post
   <form action="https://example.test/d12ab86/loe009157-MzBw" target="app-iframe" method="post"><input type="submit" class="oc-hidden" value="[object Object]">
     <div><input name="access_token" type="hidden" value="asdfsadfsadf"></div>
     <div><input name="access_token_ttl" type="hidden" value="123456"></div>
-  </form> <iframe name="app-iframe" class="oc-width-1-1 oc-height-1-1" title="" example-app" app content area" allowfullscreen=""></iframe>
+  </form> <iframe name="app-iframe" class="oc-width-1-1 oc-height-1-1" title="" example-app" app content area" allowfullscreen="" sandbox="allow-scripts allow-same-origin"></iframe>
 </div>"
 `;