From 3c061aee948ebebbf361a711804c628d60f11ce7 Mon Sep 17 00:00:00 2001 From: tinkle-community Date: Tue, 2 Jun 2026 01:56:32 +0800 Subject: [PATCH] fix(security): tighten strategy-market iframe permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two issues in the prior commit that the embedded vergex.trade explore iframe did not actually need: 1. `allow=clipboard-write` granted the iframe silent write access to the user's clipboard via the Clipboard API. A compromised or compromised-by-injection vergex page could overwrite copied content — classic clipboard-hijack pattern (e.g. swap a copied wallet address right before the user pastes it into a send form). The explore view does not need this capability; drop it. Matches the existing DataPage.tsx iframe pattern. 2. No `sandbox` attribute, so the iframe ran with full implicit permissions: arbitrary scripts, form submission, top-level navigation, modals, pointer lock, etc. Add an explicit sandbox whitelist that grants only what the explore view actually uses: allow-scripts allow-same-origin allow-forms allow-popups allow-popups-to-escape-sandbox Notably withheld: - allow-top-navigation: the iframe cannot redirect the NOFX shell to an arbitrary URL. - allow-modals / allow-pointer-lock / allow-orientation-lock: not used by the explore page. - allow-storage-access-by-user-activation: keeps third-party storage access prompts off the embedded surface. Verified: explore page renders identically; no sandbox-related violations in the console (residual errors are vergex's own internal CSP rejecting analytics + asset fetches, unrelated to our embedding). --- web/src/pages/StrategyMarketPage.tsx | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/web/src/pages/StrategyMarketPage.tsx b/web/src/pages/StrategyMarketPage.tsx index 588d8d34..0d39a883 100644 --- a/web/src/pages/StrategyMarketPage.tsx +++ b/web/src/pages/StrategyMarketPage.tsx @@ -20,7 +20,23 @@ export function StrategyMarketPage() { src="https://vergex.trade/explore" title={t('strategyMarket', language) || 'Strategy Market'} className="h-full w-full border-0" - allow="fullscreen; clipboard-write" + // Permission policy: keep minimal. `fullscreen` matches the existing + // DataPage iframe; `clipboard-write` was previously listed but is + // not needed by the embedded view and would let the iframe silently + // overwrite the user's clipboard (classic clipboard-hijack pattern, + // e.g. swap a copied wallet address). Drop it. + allow="fullscreen" + // Sandbox grants vergex.trade only what it actually needs to render + // the explore page: run scripts, talk to its own origin / wallet + // providers (allow-same-origin), submit search forms, open external + // links in new tabs. Notably absent: + // - allow-top-navigation: prevents the iframe from navigating the + // parent NOFX shell to an arbitrary URL. + // - allow-modals / allow-pointer-lock / allow-orientation-lock: + // not needed for a strategy list view. + // - allow-storage-access-by-user-activation: keeps any third-party + // storage access prompts out of the embedded surface. + sandbox="allow-scripts allow-same-origin allow-forms allow-popups allow-popups-to-escape-sandbox" referrerPolicy="strict-origin-when-cross-origin" />