Merge pull request #175 from platformsh/allow-script-web-message-auth

shakaman · web-flow · commit e3ff32929356 · 2022-04-22T15:46:17.000+02:00
Add allow-scripts permission to the authentication iframe
diff --git a/src/authentication/connector.ts b/src/authentication/connector.ts
@@ -76,7 +76,9 @@ function checkForStorageAccess(auth: ClientConfiguration) {
   return new Promise((resolve, reject) => {
     removeIFrame();
 
-    createIFrame(`${auth.authentication_url}/request-storage-access.html`);
+    createIFrame(`${auth.authentication_url}/request-storage-access.html`, {
+      sandbox: "allow-scripts"
+    });
     async function receiveMessage(event: MessageEvent) {
       if (event.origin !== auth.authentication_url) {
         return false;
@@ -405,7 +407,9 @@ const logInWithWebMessageAndPKCE = async (reset: boolean) => {
       window.addEventListener("message", receiveMessage, false);
 
       const authUrl = encodeURL(auth.authorization, req);
-      createIFrame(authUrl);
+      createIFrame(authUrl, {
+        sandbox: "allow-scripts"
+      });
     } catch (err) {
       console.log("Error Silent refresh");
       console.log(err);
