Skip to content

fix(web): 补全首页 URL iframe 的 sandbox token,修复字体失效与 target=_top 菜单跳转 (#5907)#5909

Open
Heykode wants to merge 1 commit into
QuantumNous:mainfrom
Heykode:fix/home-iframe-font-cors
Open

fix(web): 补全首页 URL iframe 的 sandbox token,修复字体失效与 target=_top 菜单跳转 (#5907)#5909
Heykode wants to merge 1 commit into
QuantumNous:mainfrom
Heykode:fix/home-iframe-font-cors

Conversation

@Heykode

@Heykode Heykode commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

📝 变更描述 / Description

首页内容(HomePageContent)设置为 URL 时,首页用 <iframe> 嵌入该 URL。该 iframe 自 #5760(commit 0b48ad86)起带上了 sandbox 属性,但 token 集不完整,给被嵌页面带来两个回归(rc.16 前均无此问题):

1. 缺 allow-same-origin → 自定义字体失效
缺该 token 时被嵌文档被放入 opaque origin(null),其同域 @font-face 字体请求被当作跨域:字体请求始终以 CORS 模式发起、携带 Origin: null,被嵌页面服务器通常不为自家静态字体返回 Access-Control-Allow-Origin,于是字体被拦、回退系统字体。表现为"直接打开 URL 字体正常、放进首页 iframe 字体丢失"。

2. 缺 allow-top-navigation-by-user-activationtarget="_top" 菜单链接点击无跳转
被嵌页面的导航/菜单链接普遍用 target="_top"(意图跳出 iframe、导航顶层窗口)。默认 sandbox 禁止顶层导航,桌面浏览器(Chrome/Edge)严格执行,导致点击这些链接静默无反应;部分移动端浏览器对 sandboxed 导航执行较宽松,故手机端表现为"能跳",桌面端"不跳"。

本 PR 为该 iframe 补上这两个 token。首页 URL 由管理员配置(可信来源),项目已有同类可信 iframe 用法(components/ai-elements/web-preview.tsx 使用 allow-scripts allow-same-origin 组合),本改动与之一致,并加注释说明取舍。选用 allow-top-navigation-by-user-activation(仅用户点击可触发顶层导航)而非更宽松的 allow-top-navigation,以在恢复菜单跳转的同时保持最小授权。

🚀 变更类型 / Type of change

  • 🐛 Bug 修复 (Bug fix) - 请关联对应 Issue

🔗 关联任务 / Related Issue

✅ 提交前检查项 / Checklist

  • 人工确认: 我已亲自整理并撰写此描述。(另见下方 AI 协助声明)
  • 非重复提交: 我已搜索现有 Issues 与 PRs,确认不是重复提交。
  • Bug fix 说明: 本 PR 已关联 Issue 首页 URL iframe 缺少 allow-same-origin 导致被嵌页面自定义字体失效(rc.16 回归) #5907,两处均为 rc.16 引入的回归,非设计取舍。
  • 变更理解: 我已理解这些更改的工作原理及影响(含 allow-same-origin + allow-scripts 的安全取舍:仅用于管理员配置的可信 URL;顶层导航采用 user-activation 变体以最小授权)。
  • 范围聚焦: 本 PR 仅改动首页 iframe 的 sandbox 属性一处(及说明注释),无无关改动。
  • 本地验证: 已本地 bun run typecheck 通过;format:check 对本文件无新增问题。
  • 安全合规: 无敏感凭据,符合项目规范。

📸 运行证明 / Proof of Work

  • 定位:web/default/src/features/home/index.tsx 的 URL iframe。
  • 引入回归的 commit:0b48ad86fix(web): render custom HTML and Markdown content consistently #5760,2026-06-27),git tag --contains 仅含 v1.0.0-rc.16;rc.13/14/15 该 iframe 无 sandbox。
  • 本地 bun run typechecktsgo -b)通过,无类型错误。
  • 改动 diff:sandbox 由
    allow-forms allow-popups allow-popups-to-escape-sandbox allow-scripts
    改为
    allow-same-origin allow-top-navigation-by-user-activation allow-forms allow-popups allow-popups-to-escape-sandbox allow-scripts,并新增说明性注释。

关于 oxlint 的 react/iframe-missing-sandbox:该规则会对 allow-scripts + allow-same-origin 组合报 error,但项目 main 中既有的 web-preview.tsx 同样使用该组合,且 main 全量 lint 本就存在多条既有 error,故未额外处理;如维护者希望,我可改用其它豁免方式。


AI 协助声明: 本 PR 的问题定位、根因分析与代码改动在 AI(Claude)辅助下完成,所有结论均经源码与 git 历史核对,并已本地 typecheck 验证。提交者非本仓库历史核心开发者,特此声明。

Summary by CodeRabbit

  • Bug Fixes
    • Improved the embedded custom home page so trusted, admin-configured content can load same-origin resources correctly, including fonts.
    • User-initiated link clicks that navigate the top window (e.g., “open in top frame”) now work as expected.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The custom home page URL iframe sandbox was expanded to allow same-origin access and user-activated top-level navigation, with a comment explaining the trusted admin-configured source and the font-loading impact.

Changes

Home page iframe sandbox fix

Layer / File(s) Summary
Add allow-same-origin to iframe sandbox
web/default/src/features/home/index.tsx
The iframe sandbox is updated to include allow-same-origin and allow-top-navigation-by-user-activation, with a comment describing the trusted URL source and the behavior of same-origin resources and top-level links.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

  • QuantumNous/new-api#5545: Both PRs touch the custom home page iframe rendering in Home, with related iframe configuration changes.

Poem

A bunny peeks at fonts anew,
The iframe lets same-origin through.
Top links hop where users guide,
And trusted pages bloom inside. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The change adds allow-same-origin to the home URL iframe sandbox, which matches the issue's required fix for font loading.
Out of Scope Changes check ✅ Passed The extra top-navigation sandbox token and explanatory comment stay aligned with the same iframe behavior fix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the iframe sandbox token fix and the resulting font and top-navigation behavior changes.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

The custom home page URL iframe was given a sandbox attribute in QuantumNous#5760
with an incomplete token set, causing two regressions for the embedded
page (both absent before rc.16):

1. Missing allow-same-origin forced the embedded document into an opaque
   (null) origin, so its own same-origin @font-face requests were treated
   as cross-origin and blocked by CORS, falling back to system fonts.
2. Missing allow-top-navigation-by-user-activation blocked the embedded
   page's target="_top" links from navigating the top-level window on
   user click (nav/menu links did nothing on desktop).

Since the home page URL is admin-configured (trusted), add both tokens to
restore same-origin resource loading and user-initiated top navigation.

Closes QuantumNous#5907
@Heykode Heykode force-pushed the fix/home-iframe-font-cors branch from c72e10a to 2e83a0a Compare July 4, 2026 17:37
@Heykode Heykode changed the title fix(web): 首页 URL iframe 补充 allow-same-origin 以修复被嵌页面字体失效 (#5907) fix(web): 补全首页 URL iframe 的 sandbox token,修复字体失效与 target=_top 菜单跳转 (#5907) Jul 4, 2026
@Calcium-Ion

Copy link
Copy Markdown
Member

allow-same-origin风险太大了,无法接受

@Heykode

Heykode commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

感谢 review,完全理解 allow-same-origin 的安全顾虑 —— 它与 allow-scripts 同时开启会让 sandbox 隔离基本失效,对管理员配置的外部页面确实有会话窃取等风险,这个否决是合理的。

这个 PR 想解决的是 #5907 里首页嵌入页(自定义首页 URL)的两个体验问题:

  1. 嵌入页自身的 @font-face 字体被当作跨域资源拦截,导致字体失效;
  2. 嵌入页里 target="_top" 的菜单/导航链接在默认 sandbox 下无法跳转顶层窗口。

由于字体跨域限制是浏览器 CORS 机制决定的,想在 sandbox iframe 内加载嵌入页自己的字体,除了 allow-same-origin 之外几乎没有干净的绕法,而这正是您否决的点。所以想请教您能接受的方向:

  • 方案 A:仅补 allow-top-navigation-by-user-activation(先解决菜单跳转问题,字体失效暂不处理,由用户把字体放到同源/CDN 解决);
  • 方案 B:您倾向完全不用 sandbox iframe(考虑到首页 URL 是管理员配置的可信来源),或改为整页跳转/重定向的方式承载自定义首页。

我按您认可的方向重做这个 PR。如果您认为这个问题应交由用户自行解决、不在框架层面处理,我也可以关闭本 PR。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

首页 URL iframe 缺少 allow-same-origin 导致被嵌页面自定义字体失效(rc.16 回归)

2 participants