Skip to content

fix(sandbox): unblock postMessage from inner iframe on Safari/WebKit #1232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MukundaKatta wants to merge 1 commit into
base: main
Choose a base branch
from
+13 −1
Open

fix(sandbox): unblock postMessage from inner iframe on Safari/WebKit #1232

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion server/static/sandbox_proxy.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,19 @@
inner.contentWindow.postMessage(event.data, "*");
}
}
} else if (event.source === inner.contentWindow) {
} else if (
event.source === inner.contentWindow ||
// Safari/WebKit workaround: postMessage from the inner same-origin
// iframe sometimes arrives at this outer sandbox with
// `event.source === window` instead of `inner.contentWindow`.
// Chromium and Firefox set the source to the inner contentWindow as
// expected. Without this branch, messages such as `ui/initialize`
// get dropped on Safari and MCP Apps fail to handshake. The origin
// check below remains the security boundary -- only same-origin
// messages (which can only originate inside this sandbox) are
// relayed to the host. See issue #1203.
(event.origin === OWN_ORIGIN && event.source === window)
) {
if (event.origin !== OWN_ORIGIN) {
console.error(
"[Sandbox] Rejecting message from inner iframe with unexpected origin:",
Expand Down