Skip to content

custom-html widget iframe allow more attributes #1698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 22, 2022
Merged

custom-html widget iframe allow more attributes #1698

merged 1 commit into from
Mar 22, 2022

Conversation

JMach1
Copy link
Contributor

@JMach1 JMach1 commented Mar 22, 2022

The problem

Customer is using a widget with custom HTML code. The code of custom-html widget seems to end up in an iframe. The iframe seems to miss sandbox='allow-popups-to-escape-sandbox' which seems to stop the browser from opening up a link in a new tab. Also the code is provided inline which makes the browser think it doesn't have the same origin as the parent page, so customer can't use JavaScript to open a new page in the parent window either.

The solution

I've added following attributes:

allow-popups-to-escape-sandbox 
allow-top-navigation 
allow-presentation 
allow-orientation-lock 
allow-pointer-lock
allow-downloads

I made it as a separate constant so it can be reused elsewhere, for example custom widget iframes.

@JMach1 JMach1 requested a review from azaslonov March 22, 2022 13:42
@github-actions
Copy link

Accessibility Insights Accessibility Insights Action: All applicable checks passed

  • URLs: 12 URL(s) passed, and 0 were not scannable
  • Rules: 26 check(s) passed, and 26 were not applicable
  • Download the Accessibility Insights artifact to view the detailed results of these checks

This scan used axe-core 4.3.2 with Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36.

@azaslonov azaslonov merged commit bb2a3ee into master Mar 22, 2022
@azaslonov azaslonov deleted the fix/custom_html_allow_sandbox_fix branch March 22, 2022 22:09
@rafaeleloi
Copy link

@azaslonov @JMach1 could you please inform if is this already available? I’ve seen that the PR seems to have been merged into the master branch, does that mean it is released as well?

Do we need to do anything more than setting target=”_blank” on the links and then publish the portal?
Thanks.

malincrist pushed a commit that referenced this pull request Apr 4, 2022
@JMach1
custom-html widget iframe allow fix (#1698)
a3d3411
javierbo1989 pushed a commit that referenced this pull request Apr 8, 2022
@JMach1
custom-html widget iframe allow fix (#1698)
07e2fd4
maciejtreder pushed a commit that referenced this pull request Jun 13, 2022
@JMach1
custom-html widget iframe allow fix (#1698)
702fde5
azaslonov pushed a commit that referenced this pull request Mar 21, 2025
@JMach1
custom-html widget iframe allow fix (#1698)
9a7654e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azaslonov azaslonov azaslonov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JMach1 @rafaeleloi @azaslonov