liuyu/nofx
1
0
Fork 0
mirror of https://github.com/NoFxAiOS/nofx.git synced 2026-06-06 05:51:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): tighten strategy-market iframe permissions

Browse Source 
Two issues in the prior commit that the embedded vergex.trade explore
iframe did not actually need:

  1. `allow=clipboard-write` granted the iframe silent write access to
     the user's clipboard via the Clipboard API. A compromised or
     compromised-by-injection vergex page could overwrite copied
     content — classic clipboard-hijack pattern (e.g. swap a copied
     wallet address right before the user pastes it into a send form).
     The explore view does not need this capability; drop it. Matches
     the existing DataPage.tsx iframe pattern.

  2. No `sandbox` attribute, so the iframe ran with full implicit
     permissions: arbitrary scripts, form submission, top-level
     navigation, modals, pointer lock, etc. Add an explicit sandbox
     whitelist that grants only what the explore view actually uses:

       allow-scripts allow-same-origin allow-forms
       allow-popups allow-popups-to-escape-sandbox

     Notably withheld:
       - allow-top-navigation: the iframe cannot redirect the NOFX
         shell to an arbitrary URL.
       - allow-modals / allow-pointer-lock / allow-orientation-lock:
         not used by the explore page.
       - allow-storage-access-by-user-activation: keeps third-party
         storage access prompts off the embedded surface.

Verified: explore page renders identically; no sandbox-related
violations in the console (residual errors are vergex's own internal
CSP rejecting analytics + asset fetches, unrelated to our embedding).
This commit is contained in:
tinkle-community
2026-06-02 01:56:32 +08:00
parent 30c6abca74
commit 3c061aee94
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
web/src/pages/StrategyMarketPage.tsx
View File

@@ -20,7 +20,23 @@ export function StrategyMarketPage() {
src="https://vergex.trade/explore" src="https://vergex.trade/explore"
title={t('strategyMarket', language) || 'Strategy Market'} title={t('strategyMarket', language) || 'Strategy Market'}
className="h-full w-full border-0" className="h-full w-full border-0"
allow="fullscreen; clipboard-write" // Permission policy: keep minimal. `fullscreen` matches the existing
// DataPage iframe; `clipboard-write` was previously listed but is
// not needed by the embedded view and would let the iframe silently
// overwrite the user's clipboard (classic clipboard-hijack pattern,
// e.g. swap a copied wallet address). Drop it.
allow="fullscreen"
// Sandbox grants vergex.trade only what it actually needs to render
// the explore page: run scripts, talk to its own origin / wallet
// providers (allow-same-origin), submit search forms, open external
// links in new tabs. Notably absent:
// - allow-top-navigation: prevents the iframe from navigating the
// parent NOFX shell to an arbitrary URL.
// - allow-modals / allow-pointer-lock / allow-orientation-lock:
// not needed for a strategy list view.
// - allow-storage-access-by-user-activation: keeps any third-party
// storage access prompts out of the embedded surface.
sandbox="allow-scripts allow-same-origin allow-forms allow-popups allow-popups-to-escape-sandbox"
referrerPolicy="strict-origin-when-cross-origin" referrerPolicy="strict-origin-when-cross-origin"
/> />
</div> </div>