fix(web): 补全首页 URL iframe 的 sandbox token,修复字体失效与 target=_top 菜单跳转 (#5907)#5909
fix(web): 补全首页 URL iframe 的 sandbox token,修复字体失效与 target=_top 菜单跳转 (#5907)#5909Heykode wants to merge 1 commit into
Conversation
WalkthroughThe custom home page URL iframe sandbox was expanded to allow same-origin access and user-activated top-level navigation, with a comment explaining the trusted admin-configured source and the font-loading impact. ChangesHome page iframe sandbox fix
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The custom home page URL iframe was given a sandbox attribute in QuantumNous#5760 with an incomplete token set, causing two regressions for the embedded page (both absent before rc.16): 1. Missing allow-same-origin forced the embedded document into an opaque (null) origin, so its own same-origin @font-face requests were treated as cross-origin and blocked by CORS, falling back to system fonts. 2. Missing allow-top-navigation-by-user-activation blocked the embedded page's target="_top" links from navigating the top-level window on user click (nav/menu links did nothing on desktop). Since the home page URL is admin-configured (trusted), add both tokens to restore same-origin resource loading and user-initiated top navigation. Closes QuantumNous#5907
c72e10a to
2e83a0a
Compare
|
allow-same-origin风险太大了,无法接受 |
|
感谢 review,完全理解 这个 PR 想解决的是 #5907 里首页嵌入页(自定义首页 URL)的两个体验问题:
由于字体跨域限制是浏览器 CORS 机制决定的,想在 sandbox iframe 内加载嵌入页自己的字体,除了
我按您认可的方向重做这个 PR。如果您认为这个问题应交由用户自行解决、不在框架层面处理,我也可以关闭本 PR。 |
📝 变更描述 / Description
首页内容(HomePageContent)设置为 URL 时,首页用
<iframe>嵌入该 URL。该 iframe 自 #5760(commit0b48ad86)起带上了sandbox属性,但 token 集不完整,给被嵌页面带来两个回归(rc.16 前均无此问题):1. 缺
allow-same-origin→ 自定义字体失效缺该 token 时被嵌文档被放入 opaque origin(
null),其同域@font-face字体请求被当作跨域:字体请求始终以 CORS 模式发起、携带Origin: null,被嵌页面服务器通常不为自家静态字体返回Access-Control-Allow-Origin,于是字体被拦、回退系统字体。表现为"直接打开 URL 字体正常、放进首页 iframe 字体丢失"。2. 缺
allow-top-navigation-by-user-activation→target="_top"菜单链接点击无跳转被嵌页面的导航/菜单链接普遍用
target="_top"(意图跳出 iframe、导航顶层窗口)。默认 sandbox 禁止顶层导航,桌面浏览器(Chrome/Edge)严格执行,导致点击这些链接静默无反应;部分移动端浏览器对 sandboxed 导航执行较宽松,故手机端表现为"能跳",桌面端"不跳"。本 PR 为该 iframe 补上这两个 token。首页 URL 由管理员配置(可信来源),项目已有同类可信 iframe 用法(
components/ai-elements/web-preview.tsx使用allow-scripts allow-same-origin组合),本改动与之一致,并加注释说明取舍。选用allow-top-navigation-by-user-activation(仅用户点击可触发顶层导航)而非更宽松的allow-top-navigation,以在恢复菜单跳转的同时保持最小授权。🚀 变更类型 / Type of change
🔗 关联任务 / Related Issue
✅ 提交前检查项 / Checklist
allow-same-origin+allow-scripts的安全取舍:仅用于管理员配置的可信 URL;顶层导航采用 user-activation 变体以最小授权)。bun run typecheck通过;format:check对本文件无新增问题。📸 运行证明 / Proof of Work
web/default/src/features/home/index.tsx的 URL iframe。0b48ad86(fix(web): render custom HTML and Markdown content consistently #5760,2026-06-27),git tag --contains仅含v1.0.0-rc.16;rc.13/14/15 该 iframe 无 sandbox。bun run typecheck(tsgo -b)通过,无类型错误。allow-forms allow-popups allow-popups-to-escape-sandbox allow-scripts改为
allow-same-origin allow-top-navigation-by-user-activation allow-forms allow-popups allow-popups-to-escape-sandbox allow-scripts,并新增说明性注释。Summary by CodeRabbit