Skip to content

[MOB-8515]: allow-popups-to-escape-sandbox #380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 15, 2024
Merged

[MOB-8515]: allow-popups-to-escape-sandbox #380

merged 8 commits into from
May 15, 2024

Conversation

mprew97
Copy link
Contributor

@mprew97 mprew97 commented May 13, 2024
edited by jira bot
Loading

JIRA Ticket(s) if any

Description

See https://googlechrome.github.io/samples/allow-popups-to-escape-sandbox/

Test Steps

@jberry-iterable jberry-iterable requested a review from a team May 13, 2024 16:14
ts-nguyen
ts-nguyen reviewed May 14, 2024
View reviewed changes
Copy link
Contributor

@ts-nguyen ts-nguyen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to update the README for this change and make a disclaimer for this config. I imagine we'll need a security review on this and possibly legal?

src/inapp/utils.ts Outdated
@@ -284,9 +284,14 @@ const generateSecuredIFrame = () => {
iframe.setAttribute('id', 'iterable-iframe');
// allow-popups and allow-top-navigation is to enable links for Safari since the iframe will block
// event handlers on elements in it preventing our custom link handling
console.log({ p: process.env });
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should remove console log

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ope, good catch.

@mprew97
Copy link
Contributor Author

mprew97 commented May 14, 2024

Do we need to update the README for this change and make a disclaimer for this config. I imagine we'll need a security review on this and possibly legal?

@ts-nguyen Security is aware of this and will review this today. As for the README, I've alerted docs about this PR so will let them determine what changes are needed.

ts-nguyen
ts-nguyen reviewed May 14, 2024
View reviewed changes
webpack.config.js
@@ -9,6 +9,8 @@ function getParsedEnv() {
...env.parsed,
VERSION: version,
IS_EU_ITERABLE_SERVICE: process.env.IS_EU_ITERABLE_SERVICE || false,
DANGEROUSLY_ALLOW_JS_POPUP_EXECUTION:
process.env.DANGEROUSLY_ALLOW_JS_POPUP_EXECUTION || false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do a strict check against true given the effect of the changes this value controls?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the webpack config to allow the env variable to be passed in. made the check a const and made it stricter here

ts-nguyen
ts-nguyen approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@ts-nguyen ts-nguyen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left an additional suggestion for a safer check!

pauljung14
pauljung14 reviewed May 14, 2024
View reviewed changes
react-example/.env.example
@@ -8,3 +8,6 @@

# Convenience variable to automatically set the login email during testing.
# [email protected]

# IS_EU_ITERABLE_SERVICE=false
# DANGEROUSLY_ALLOW_JS_POPUP_EXECUTION=false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this at the sample app level?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the package is installed via package manager, devs don't have access to modify the .env file of the web-sdk so they need to be able to pass this value in from their own .env. This just serves as an example of how to do that.

jberry-iterable
jberry-iterable approved these changes May 14, 2024
View reviewed changes
Copy link

@jberry-iterable jberry-iterable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for making this a config change!

@bradumbaugh bradumbaugh mentioned this pull request May 14, 2024
Merged
@mprew97
[DOCS-4682] Information about allow-popups-to-escape-sandbox (#388)
834010e 
* Information about allow-popups-to-escape-sandbox

* SDK version information

* Update README.md

* Update README.md

---------

Co-authored-by: Mitch Prewitt <[email protected]>
@mprew97 mprew97 merged commit 1828337 into main May 15, 2024
1 check passed
@mprew97 mprew97 deleted the MOB-8515 branch May 15, 2024 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pauljung14 pauljung14 pauljung14 approved these changes

@ts-nguyen ts-nguyen ts-nguyen approved these changes

@jberry-iterable jberry-iterable jberry-iterable approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mprew97 @pauljung14 @ts-nguyen @jberry-iterable