From 54bb80c862da4d2998a184ee13c2a5f779e7acaa Mon Sep 17 00:00:00 2001 From: midori Date: Mon, 12 Aug 2024 23:46:45 +0000 Subject: [PATCH] Allow passing sandbox attributes to iframes --- src/helper/iframe-handler.js | 3 +++ src/web-auth/index.js | 6 +++++- src/web-auth/silent-authentication-handler.js | 4 +++- src/web-auth/web-message-handler.js | 3 ++- test/helper/iframe-handler.test.js | 14 ++++++++++++++ .../web-auth/silent-authentication-handler.test.js | 9 +++++++++ test/web-auth/web-auth.test.js | 7 +++++-- 7 files changed, 41 insertions(+), 5 deletions(-) diff --git a/src/helper/iframe-handler.js b/src/helper/iframe-handler.js index c26f8ac76..7c99474cf 100644 --- a/src/helper/iframe-handler.js +++ b/src/helper/iframe-handler.js @@ -11,6 +11,8 @@ function IframeHandler(options) { this._destroyTimeout = null; this.transientMessageEventListener = null; this.proxyEventListener = null; + this.sandbox = options.sandbox == null ? + 'allow-same-origin allow-scripts' : options.sandbox; // If no event identifier specified, set default this.eventValidator = options.eventValidator || { isValid: function() { @@ -57,6 +59,7 @@ IframeHandler.prototype.init = function() { _window.document.body.appendChild(this.iframe); this.iframe.src = this.url; + this.iframe.sandbox = this.sandbox; this.timeoutHandle = setTimeout(function() { _this.timeoutHandler(); diff --git a/src/web-auth/index.js b/src/web-auth/index.js index c0ea32ba1..6254c14d5 100644 --- a/src/web-auth/index.js +++ b/src/web-auth/index.js @@ -575,6 +575,7 @@ WebAuth.prototype.validateToken = function (token, nonce, cb) { * @param {String} [options.postMessageOrigin] origin of redirectUri to expect postMessage response from. Defaults to the origin of the receiving window. Only used if usePostMessage is truthy. * @param {String} [options.timeout] value in milliseconds used to timeout when the `/authorize` call is failing as part of the silent authentication with postmessage enabled due to a configuration. * @param {Boolean} [options.usePostMessage] use postMessage to comunicate between the silent callback and the SPA. When false the SDK will attempt to parse the url hash should ignore the url hash and no extra behaviour is needed + * @param {String} [options.sandbox] attribute values for the hidden iframe. Defaults to `allow-same-origin allow-scripts` * @param {authorizeCallback} cb * @see {@link https://auth0.com/docs/api/authentication#authorize-client} * @memberof WebAuth.prototype @@ -586,6 +587,7 @@ WebAuth.prototype.renewAuth = function (options, cb) { var postMessageOrigin = options.postMessageOrigin || windowHelper.getWindow().origin; var timeout = options.timeout; + var sandbox = options.sandbox; var _this = this; var params = objectHelper @@ -625,7 +627,8 @@ WebAuth.prototype.renewAuth = function (options, cb) { authenticationUrl: this.client.buildAuthorizeUrl(params), postMessageDataType: postMessageDataType, postMessageOrigin: postMessageOrigin, - timeout: timeout + timeout: timeout, + sandbox: sandbox }); handler.login(usePostMessage, function (err, hash) { @@ -675,6 +678,7 @@ WebAuth.prototype.renewAuth = function (options, cb) { * @param {String} [options.audience] identifier of the resource server who will consume the access token issued after Auth * @param {String} [options.timeout] value in milliseconds used to timeout when the `/authorize` call is failing as part of the silent authentication with postmessage enabled due to a configuration. * @param {String} [options.organization] the id or name of an organization to log in to + * @param {String} [options.sandbox] attribute values for the hidden iframe. Defaults to `allow-same-origin allow-scripts` * @param {checkSessionCallback} cb * @see {@link https://auth0.com/docs/libraries/auth0js/v9#using-checksession-to-acquire-new-tokens} * @memberof WebAuth.prototype diff --git a/src/web-auth/silent-authentication-handler.js b/src/web-auth/silent-authentication-handler.js index 1412eabd4..a7c7840c3 100644 --- a/src/web-auth/silent-authentication-handler.js +++ b/src/web-auth/silent-authentication-handler.js @@ -6,6 +6,7 @@ function SilentAuthenticationHandler(options) { this.timeout = options.timeout || 60 * 1000; this.handler = null; this.postMessageDataType = options.postMessageDataType || false; + this.sandbox = options.sandbox; // prefer origin from options, fallback to origin from browser, and some browsers (for example MS Edge) don't support origin; fallback to construct origin manually this.postMessageOrigin = @@ -40,7 +41,8 @@ SilentAuthenticationHandler.prototype.login = function( '#error=timeout&error_description=Timeout+during+authentication+renew.' ); }, - usePostMessage: usePostMessage || false + usePostMessage: usePostMessage || false, + sandbox: this.sandbox }); this.handler.init(); diff --git a/src/web-auth/web-message-handler.js b/src/web-auth/web-message-handler.js index bafb0b990..b3b09e60e 100644 --- a/src/web-auth/web-message-handler.js +++ b/src/web-auth/web-message-handler.js @@ -26,7 +26,8 @@ function runWebMessageFlow(authorizeUrl, options, callback) { error_description: 'Timeout during executing web_message communication', state: options.state }); - } + }, + sandbox: options.sandbox }); handler.init(); } diff --git a/test/helper/iframe-handler.test.js b/test/helper/iframe-handler.test.js index 6c9d7cd5b..f18b44188 100644 --- a/test/helper/iframe-handler.test.js +++ b/test/helper/iframe-handler.test.js @@ -121,6 +121,20 @@ describe('helpers iframeHandler', function() { expect(windowHelper.getWindow().document.body); expect(iframe.src).to.be('my-url'); expect(iframe.style.display).to.be('none'); + expect(iframe.sandbox).to.be('allow-same-origin allow-scripts'); + }); + + it('should create a hidden iframe with specific sandbox attributes', function () { + var iframe = stubWindow('load'); + var iframeHandler = new IframeHandler({ + url: 'my-url', + callback: function() {}, + sandbox: 'allow-same-origin' + }); + + iframeHandler.init(); + + expect(iframe.sandbox).to.be('allow-same-origin'); }); it('should callback after a timeout', function() { diff --git a/test/web-auth/silent-authentication-handler.test.js b/test/web-auth/silent-authentication-handler.test.js index b981079aa..f08fd7cac 100644 --- a/test/web-auth/silent-authentication-handler.test.js +++ b/test/web-auth/silent-authentication-handler.test.js @@ -340,5 +340,14 @@ describe('handlers silent-authentication-handler', function() { expect(sah.postMessageOrigin).to.be('https://unit-test'); }); + + it('sets sandbox from parameter', function () { + var expectedSandbox = 'unit-test-sandbox'; + var param = { sandbox: expectedSandbox }; + + var sah = new SilentAuthenticationHandler(param); + + expect(sah.sandbox).to.be(expectedSandbox); + }); }); }); diff --git a/test/web-auth/web-auth.test.js b/test/web-auth/web-auth.test.js index deed9598a..598cf0e22 100644 --- a/test/web-auth/web-auth.test.js +++ b/test/web-auth/web-auth.test.js @@ -242,12 +242,14 @@ describe('auth0.WebAuth', function () { webAuth.renewAuth(options, function (err, data) { }); }); - it('should use postMessageOrigin if provided', function (done) { + it('should use postMessageOrigin and sandbox if provided', function (done) { var postMessageOrigin = 'foobar1'; + var sandbox = 'allow-same-origin' sinon .stub(SilentAuthenticationHandler, 'create') .callsFake(function (options) { expect(options.postMessageOrigin).to.eql(postMessageOrigin); + expect(options.sandbox).to.eql(sandbox); done(); return { login: function () { } @@ -267,7 +269,8 @@ describe('auth0.WebAuth', function () { var options = { nonce: '123', state: '456', - postMessageOrigin: postMessageOrigin + postMessageOrigin: postMessageOrigin, + sandbox: sandbox }; webAuth.renewAuth(options, function (err, data) { });