Support iframe sandbox attribute ...

[DeepDiver1975]

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Is your feature request related to a problem? Please describe.
From a security perspective a iframes should use sandbox attributes to limit attack vectors and jail an application inside an iframe.
It should be enough to load drawio in an iframe with sandbox="allow-scripts" but drawio tries to access the parent document.

Access to document.cookie

This can be worked around by specifying the urlParam mode=foo

Access to Navigator.serviceWorker

I could not find a workaround to this - no idea if it is even possible to run without the service worker

Describe the solution you'd like
drawio should not try to break out of the iframe - at least workarounds should be documented.

Describe alternatives you've considered
See above

[davidjgraph]

Are you asking how to set a CSP on your own deployment?

[DeepDiver1975]

Are you asking how to set a CSP on your own deployment?

no. When embedding drawio in an iframe I want to use a minimal set of sandbox attributes. I mainly don't want to grant allow-same-origin - only granting allow-scripts should be sufficient.
https://www.w3schools.com/tags/att_iframe_sandbox.asp

THX

[davidjgraph]

We have reasons for how we configure our own deployment. If you need something different simply create your own deployment.

[DeepDiver1975]

It is not about the deployment. Even if I run my own deployment of drawio I can still not iframe it with the desired iframe sandbox.

Unless I miss anything. THX a lot

[davidjgraph]

Should work in 24.3.1

[DeepDiver1975]

Thx a lot. I will test this asap!

[DeepDiver1975]

I am sorry to say - but this is not fixed ...

let me know if you need any further support - thx

[DeepDiver1975]

@davidjgraph can you please reopen this issue?