Add sandboxing to the sponsor button iframe

[dfaulkner]

Adding the sandbox attribute to the sponsor button iframe protects the local Obsidian instance against potentially malicious code from the iframe source. Not that we don't trust you! :D

This is unlikely to be a huge exploit since someone would have to compromise github's sponsor button, but it does stop code scanners from noticing this line, which is nice (and removes an annoyance for my personal use case!)

I've tested with the "allow-top-navigation-by-user-activation" value and it still pops up a browser window with the support page.

[scambier]

Not that we don't trust you! :D

The iframe source is github, not me :)

Anyway, I haven't been able to find exactly what this setting does. https://webkit.org/demos/frames/sandboxing/ is supposed to demonstrate it, but there wasn't a difference in behavior with or without it.

[dfaulkner]

So setting sandbox prevents the iframed document from doing certain things. W3schools has a good explanation of what's disabled by default:

• treats the iframe content as a unique origin
• blocks form submission
• blocks script execution
• disable APIs
• prevent links from targeting other browsing contexts
• prevent content from using plugins
• prevent the content from navigating the top-level browsing context
• block auto triggers like auto-playing video or auto-focusing form controls.

My PR proposes to block all of these except navigating the top-level context, which is necessary to open the sponsor button. As you point out, the iframe src is from github, so the real risk here is an attack on github that would propagate to other tools that frame the sponsors url interface.

In my personal use case, I receive commit warnings each time I sync my vault using the git plugin. So, this is really to scratch one of my itches as much as it is to improve actual security.