sandbox option for iFrame about muximux HOT 10 CLOSED

I'll look into it. Do you know which specific sandbox options that would work with your desired content, while not breaking anything for other applications such as PlexPy, NzbGet and others?

The easiest is to do a "catch all" that applies the same sandbox settings to all iframes - having it be a config option would probably make the config even more confusing (though I'm expecting some administration GUI to be merged into Muximux after the work of @SyNiK4L).

Do you have examples of web interfaces that require sandbox mode? I know TPB breaks out of iframes, but I'd be glad if I knew which web interfaces to test against.

from muximux.

Maybe you could just have a config option that lets you set a string of flags to send, so it would be up to the user to add the options they want... like:

iframe_sandbox_opts = "allow-forms allow-pointer-lock".

Then the PHP code could simply put that option (if provided) inside the sandbox= option of the iframe for each entry.

from muximux.

@evanmj - absolutely - I just don't want to make the config to confusing, so if there was something that would work for everyone, that'd be great. I haven't fiddled with sandbox options previously, so I'm not aware of the drawbacks of each option.

If it turns out there's no one single setting that would work for everything, I'll do just what you described.

from muximux.

Just tested sandbox="allow-forms allow-same-origin allow-pointer-lock allow-scripts" which fixes the problem described in #8 , however - before pushing this, could @creoden verify either by supplying a link to a website/web frontend that I can test on (that currently breaks), or if you could modify muximux.php on your end to include sandbox=\"allow-forms allow-same-origin allow-pointer-lock allow-scripts\" on the iframes to see if that solves your case. If it works, I'll push this asap.

I've tested this with Pydio, Sonarr, CouchPotato, ruTorrent, NZBGet, Headphones, NZBHydra, Plex, Netflix, ThePirateBay and PlexRequests without a problem.

from muximux.

The problem with using sandbox with everything is that it will prevent you from a submitting any changes on a page.

For most pages it isn't needed but for a few media streamers I have (all internal) they don't like iFrames, and by using sandbox it prevents them from breaking out of them. The options I use on the iframe is sandbox="allow-forms allow-scripts allow-same-origin" ., which does the following
allow-forms Re-enables form submission
allow-scripts Re-enables scripts
allow-same-origin Allows the iframe content to be treated as being from the same origin

Allow-same-origin is needed as my media streamers are on a different subnet and breaks some of the interactions.

one page I have found that is a good example is http://www.pogdesign.co.uk/cat/ try loading that in an iframe...

from muximux.

I was under the impression that doing sandbox="allow-forms" re-enables the ability to submit changes (i.e POST data).

<iframe sandbox="allow-forms allow-same-origin allow-pointer-lock allow-scripts" allowfullscreen="true" webkitallowfullscreen="true" mozallowfullscreen="true" scrolling="auto" src="https://www.pogdesign.co.uk/cat/"></iframe> seems to be working beautifully for me, or is there some specific action you can not do? What webbrowser are you using?

from muximux.

Nope, you are correct, allow-forms fixes the submission issue, Sorry I was going back to running everything in a sandbox environment although might not break anything right now, isn't always the best option, and that using something like @evanmj said with "iframe_sandbox_opts =" might break more things if users didn't put in the appropriate options, one being sandbox="allow-forms"

and yea, thats pretty much what I was using for accessing my media streamers in an iframe

from muximux.

I'll push 2 changes and close this issue (you're free to re-open if it turns out the issue persists).

The 2 changes are:
style.css: Add background color (white) to iframes - it defaults to transparent in webkit, which makes some sites such as kat.cr look awkwardly because they hadn't defined a background-color (they rely on default rendered background to be white).

muximux.php: Add iframe sandbox="allow-forms allow-same-origin allow-pointer-lock allow-scripts"

from muximux.

Thats perfect!

from muximux.

Looks like the sandbox option possibly breaks sabnzbd, it doesn't allow me to clear errors from the web interface, and something is preventing its popups, as discussed in the chat, adding allow-modals and allow-popups resolves this

from muximux.