Add allow-same-origin to deck/spyglass sandbox

Signed-off-by: Federico Gimenez <[email protected]>
kubernetes · Aug 1, 2021 · 6ad7772 · 6ad7772
1 parent e66c254
commit 6ad7772
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 8 deletions.
diff --git a/prow/cmd/deck/template/spyglass.html b/prow/cmd/deck/template/spyglass.html
@@ -41,7 +41,7 @@
     <div class="mdl-card__title lens-title"><h3 class="mdl-card__title-text">{{$config.Title}}</h3></div>
     <div id="{{$config.Name}}-view-container" class="lens-view-content mdl-card__supporting-text">
       <img src="/static/kubernetes-wheel.svg" alt="loading spinner" class="loading-spinner is-active lens-card-loading" id="{{$config.Name}}-loading">
-      <iframe class="lens-container" style="visibility: hidden;" id="iframe-{{$index}}" sandbox="allow-scripts allow-top-navigation allow-popups" data-lens-index="{{$index}}" data-lens-name="{{$config.Name}}"{{if $config.HideTitle}} data-hide-title="true"{{end}}></iframe>
+      <iframe class="lens-container" style="visibility: hidden;" id="iframe-{{$index}}" sandbox="allow-scripts allow-top-navigation allow-popups allow-same-origin" data-lens-index="{{$index}}" data-lens-name="{{$config.Name}}"{{if $config.HideTitle}} data-hide-title="true"{{end}}></iframe>
     </div>
   </div>
   {{end}}

diff --git a/prow/spyglass/architecture.md b/prow/spyglass/architecture.md
@@ -24,9 +24,9 @@ future they can live elsewhere. Spyglass lenses have the following responsibilit
 - Rendering HTML for human consumption
 
 Lens frontends are run in sandboxed iframes (currently `sandbox="allow-scripts allow-top-navigation
-allow-popups"`), which ensures that they can only interact with the world via the intended API. In
-particular, this prevents lenses from interacting with other Deck pseudo-APIs or with the core
-spyglass page.
+allow-popups allow-same-origin"`), which ensures that they can only interact with the world via the
+intended API. In particular, this prevents lenses from interacting with other Deck pseudo-APIs or with
+the core spyglass page.
 
 In order to provide this API to lenses, a library
 ([`prow/cmd/deck/static/spyglass/lens.ts`](../cmd/deck/static/spyglass/lens.ts)) is injected into
@@ -86,4 +86,3 @@ information from their frontend, in which case the following happens:
    relevant lens endpoint
 1. The **core** backend receives the request and invokes the **lens** backend with the relevant
    information attached.
-
diff --git a/prow/spyglass/lenses/html/template.html b/prow/spyglass/lenses/html/template.html
@@ -13,7 +13,7 @@
     {{/* Do _not_ hide this by default, that will break inner javascript that dynamically resizes. Hiding post-render is ok, so we hide on first resize request */}}
     <tr class="initial" id="{{$title}}-tr">
       <td colspan="2" style="border: 0px; padding: 0px;">
-        <iframe srcdoc="{{$content}}" title="{{$title}}" sandbox="allow-scripts allow-popups" id="{{$title}}" width="100%" scrolling="no"></iframe>
+        <iframe srcdoc="{{$content}}" title="{{$title}}" sandbox="allow-scripts allow-popups allow-same-origin" id="{{$title}}" width="100%" scrolling="no"></iframe>
       </td>
     </tr>
     {{end}}

diff --git a/prow/spyglass/lenses/html/testdata/TestRenderBody_Simple.yaml b/prow/spyglass/lenses/html/testdata/TestRenderBody_Simple.yaml
@@ -21,7 +21,7 @@ window.addEventListener(&quot;load&quot;, function(){
     var config = { attributes: true, childList: true, characterData: true, subtree:true}; // PT2
     observer.observe(window.document, config);                                            // PT3
 });
-</script>" title="file.html" sandbox="allow-scripts allow-popups" id="file.html" width="100%" scrolling="no"></iframe>
+</script>" title="file.html" sandbox="allow-scripts allow-popups allow-same-origin" id="file.html" width="100%" scrolling="no"></iframe>
       </td>
     </tr>
 

diff --git a/prow/spyglass/lenses/html/testdata/TestRenderBody_With_quotes.yaml b/prow/spyglass/lenses/html/testdata/TestRenderBody_With_quotes.yaml
@@ -21,7 +21,7 @@ window.addEventListener(&quot;load&quot;, function(){
     var config = { attributes: true, childList: true, characterData: true, subtree:true}; // PT2
     observer.observe(window.document, config);                                            // PT3
 });
-</script>" title="file.html" sandbox="allow-scripts allow-popups" id="file.html" width="100%" scrolling="no"></iframe>
+</script>" title="file.html" sandbox="allow-scripts allow-popups allow-same-origin" id="file.html" width="100%" scrolling="no"></iframe>
       </td>
     </tr>