🛡️ Sentinel: [security improvement] Add sandbox attribute to iframes#157
Conversation
Co-authored-by: ImChong <74563097+ImChong@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
🚨 Severity: MEDIUM
💡 Vulnerability: The
<iframe>elements used for embedding the Parkour demo (src/views/Demo.vue) and the Netron Viewer (src/components/OnnxNetronViewer.vue) were missing thesandboxattribute. Without this attribute, these iframes possessed overly permissive capabilities, such as the ability to navigate the top-level parent window.🎯 Impact: An attacker could potentially compromise or inject malicious scripts into the embedded content (e.g., a manipulated Netron viewer HTML), allowing them to perform unauthorized top-level navigation (redirecting the user to a phishing site) or interfering with the main application context.
🔧 Fix: Added the
sandbox="allow-scripts allow-same-origin allow-downloads allow-forms allow-modals allow-popups"attribute to the Parkour demo iframe andsandbox="allow-scripts allow-same-origin allow-downloads allow-popups"to the Netron Viewer iframe. This applies the Principle of Least Privilege, explicitly allowing only necessary functionalities while preventing dangerous actions like top-level navigation.✅ Verification:
pnpm testpasses without regression.pnpm devand ensure the G1 Parkour demo still loads and interacts properly.PR created automatically by Jules for task 1295514096626381679 started by @ImChong