Skip to content

add 'sandbox' attr to Horde_Mime_Part iframes #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ralflang merged 2 commits into from
Jun 4, 2025
Merged

add 'sandbox' attr to Horde_Mime_Part iframes #19

ralflang merged 2 commits into from
Jun 4, 2025

Conversation

@midahp
Copy link
Collaborator

@midahp midahp commented May 19, 2025

the "allow-same-origin" value is needed. Otherwise the email can not be displayed

This is meant as an additional countermeasure against XSS attacks in html emails. I am not 100% sure this won't break some html emails. In my tests it did not lead to any issues.

@midahp
add 'sandbox' attr to Horde_Mime_Part iframes
e390073 
the "allow-same-origin" value is needed. Otherwise the email can not be displayed
@midahp midahp mentioned this pull request May 19, 2025
Open
@ralflang
Copy link
Member

ralflang commented Jun 4, 2025

@TDannhauer I'd like to move forward with this PR. Besides the conflict it looks good. Opinion?

ralflang
ralflang approved these changes Jun 4, 2025
View reviewed changes
Copy link
Member

@ralflang ralflang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re approve after solving merge conflict

@TDannhauer
Copy link
Contributor

TDannhauer commented Jun 4, 2025

looks good for me. Let's move on!

@ralflang ralflang merged commit 89d0783 into horde:FRAMEWORK_6_0 Jun 4, 2025
0 of 6 checks passed
ralflang added a commit that referenced this pull request Jun 4, 2025
@midahp @ralflang
fix: add 'sandbox' attr to Horde_Mime_Part iframes (#19)
3df815f 
the "allow-same-origin" value is needed. Otherwise the email can not be displayed

Co-authored-by: Ralf Lang <ralf.lang@ralf-lang.de>
Co-authored-by: Pasche, B1 Systems <pasche@b1-systems.de>
ralflang added a commit that referenced this pull request Jun 4, 2025
@ralflang
Release 7.0.0-alpha17 (API Version: 7.0.0-alpha1)
65a3f13 
fix: Add conditional to hook class template to prevent double declaration issues
fix: add 'sandbox' attr to Horde_Mime_Part iframes (#19)
fix: Move  assignment up
fix: Shield against null returned from getCharset
fix: Shield against null returned from getContentTypeParameter
@dkulp
Copy link

dkulp commented Dec 7, 2025

With this change, users are no longer able to click on most links in their mail messages ("such as the "View on GitHub" link on the bottom of GitHub PR emails) and have it open in a new tab. My users are definitely complaining about it. I changed it to sandbox="allow-scripts allow-same-origin allow-popups", but I'm not sure if that defeats the purpose of the security change or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ralflang ralflang ralflang approved these changes

Assignees

@TDannhauer TDannhauer

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@midahp @ralflang @TDannhauer @dkulp