Skip to content

🛡️ Sentinel: [security improvement] Add sandbox attribute to iframes#157

Merged
ImChong merged 1 commit into
mainfrom
sentinel-iframe-sandbox-1295514096626381679
Jun 24, 2026
Merged

🛡️ Sentinel: [security improvement] Add sandbox attribute to iframes#157
ImChong merged 1 commit into
mainfrom
sentinel-iframe-sandbox-1295514096626381679

Conversation

@ImChong

@ImChong ImChong commented Jun 24, 2026

Copy link
Copy Markdown
Owner

🚨 Severity: MEDIUM
💡 Vulnerability: The <iframe> elements used for embedding the Parkour demo (src/views/Demo.vue) and the Netron Viewer (src/components/OnnxNetronViewer.vue) were missing the sandbox attribute. Without this attribute, these iframes possessed overly permissive capabilities, such as the ability to navigate the top-level parent window.
🎯 Impact: An attacker could potentially compromise or inject malicious scripts into the embedded content (e.g., a manipulated Netron viewer HTML), allowing them to perform unauthorized top-level navigation (redirecting the user to a phishing site) or interfering with the main application context.
🔧 Fix: Added the sandbox="allow-scripts allow-same-origin allow-downloads allow-forms allow-modals allow-popups" attribute to the Parkour demo iframe and sandbox="allow-scripts allow-same-origin allow-downloads allow-popups" to the Netron Viewer iframe. This applies the Principle of Least Privilege, explicitly allowing only necessary functionalities while preventing dangerous actions like top-level navigation.
Verification:

  • Verify that pnpm test passes without regression.
  • Start the application with pnpm dev and ensure the G1 Parkour demo still loads and interacts properly.
  • Open the ONNX Netron Viewer and verify the model graph renders without errors.

PR created automatically by Jules for task 1295514096626381679 started by @ImChong

Co-authored-by: ImChong <74563097+ImChong@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@ImChong ImChong merged commit e361096 into main Jun 24, 2026
1 check passed
@ImChong ImChong deleted the sentinel-iframe-sandbox-1295514096626381679 branch June 24, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant