Skip to content

Please add allow-forms to the iframe sandbox. #1105

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
bpmckee opened this issue Jun 5, 2019 · 4 comments
Closed

Please add allow-forms to the iframe sandbox. #1105

bpmckee opened this issue Jun 5, 2019 · 4 comments
Labels
closed-obsolete Closed as the reported issue is no longer relevant P2 A bug or feature request we're likely to work on type-enhancement A request for a change that isn't a bug
Milestone
Backlog

Comments

@bpmckee
Copy link

bpmckee commented Jun 5, 2019

Currently the code output's iframe has sandbox="allow-scripts".

Can it be set to sandbox="allow-scripts allow-forms"? That way onSubmit will be called for a form element.
@bpmckee
Copy link
Author

bpmckee commented Jun 6, 2019

To add more detail, I want to do this.

import 'dart:html';

const form = querySelector('form');

void main() {
  form.onSubmit.listen((Event event) {
    event.preventDefault();
    print('Form submitted');
  });
}
<form>
  <button type="submit">Submit</button>
</form>

When I click the button, there's an error in the console (that I can't intercept). I can't tell when the form was supposed to be submitted.

@RedBrogdon
Copy link
Contributor

That certainly seems like a reasonable request, though I'm not sure of the possible security concerns.

@devoncarew, do you happen to know if allow-forms was considered and rejected for a specific reason, or whether it was just lumped in with all the other permissions we've left off the iframe?

@RedBrogdon RedBrogdon added type-enhancement A request for a change that isn't a bug P2 A bug or feature request we're likely to work on labels Jun 7, 2019
@devoncarew
Copy link
Member

It wasn't considered specifically; we're using the min. set of permissions we can have and still allow us to execute the compiled JS.

I'd be conservative about adding more permissions.

@RedBrogdon RedBrogdon added this to the Backlog milestone Jul 24, 2019
@parlough
Copy link
Member

Thanks for the suggestion!

The current DartPad UI has however dropped support for standalone HTML views, so the permission likely isn't as relevant anymore.

I'll close this as stale, but if anyone has a desire to still see this change, please open a new issue with details about your use case. Thanks again :)

@parlough parlough closed this as not planned Won't fix, can't repro, duplicate, stale Jun 17, 2024
@parlough parlough added the closed-obsolete Closed as the reported issue is no longer relevant label Jun 17, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
closed-obsolete Closed as the reported issue is no longer relevant P2 A bug or feature request we're likely to work on type-enhancement A request for a change that isn't a bug
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@RedBrogdon @devoncarew @bpmckee @parlough