From 2e83a0a054c20408a4906449a878ecbf94bdc0d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B4=BA=2E?= Date: Sun, 5 Jul 2026 00:46:40 +0800 Subject: [PATCH] fix(web): complete custom home URL iframe sandbox tokens The custom home page URL iframe was given a sandbox attribute in #5760 with an incomplete token set, causing two regressions for the embedded page (both absent before rc.16): 1. Missing allow-same-origin forced the embedded document into an opaque (null) origin, so its own same-origin @font-face requests were treated as cross-origin and blocked by CORS, falling back to system fonts. 2. Missing allow-top-navigation-by-user-activation blocked the embedded page's target="_top" links from navigating the top-level window on user click (nav/menu links did nothing on desktop). Since the home page URL is admin-configured (trusted), add both tokens to restore same-origin resource loading and user-initiated top navigation. Closes #5907 --- web/default/src/features/home/index.tsx | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/web/default/src/features/home/index.tsx b/web/default/src/features/home/index.tsx index 0494191ec6b..d79e3c15a2c 100644 --- a/web/default/src/features/home/index.tsx +++ b/web/default/src/features/home/index.tsx @@ -47,11 +47,21 @@ export function Home() { if (isUrl) { return ( + {/* + The custom home page URL is admin-configured (trusted). + - allow-same-origin: keep the embedded page's real origin so its own + same-origin resources (notably @font-face fonts) are not treated as + cross-origin and blocked by CORS. + - allow-top-navigation-by-user-activation: let the embedded page's + target="_top" links navigate the top-level window on user click + (e.g. nav/menu links), which the default sandbox otherwise blocks. + This mirrors the existing trusted-iframe usage in web-preview.tsx. + */}