Sandbox permissions (#419)

delsim · delsim · web-flow · commit 5f0aebace2e2 · 2022-10-28T21:54:11.000-07:00
* Update gitignore

* Add code generation of sandbox exception list

Co-authored-by: delsim &lt;dev@gibbsconsulting.ca&gt;
diff --git a/.gitignore b/.gitignore
@@ -105,3 +105,6 @@ TOKENS
 
 # testing
 .pytest_cache/
+
+# emacs backup files
+**/*~
diff --git a/django_plotly_dash/templates/django_plotly_dash/plotly_app.html b/django_plotly_dash/templates/django_plotly_dash/plotly_app.html
@@ -1,3 +1,3 @@
 <div style="{{dstyle}}">
-  <iframe src="{{app.base_url}}" style="{{istyle}}" frameborder="{{fbs}}" sandbox="allow-downloads allow-scripts allow-same-origin"></iframe>
+  <iframe src="{{app.base_url}}" style="{{istyle}}" frameborder="{{fbs}}" sandbox="{{sandbox_settings}}"></iframe>
 </div>
diff --git a/django_plotly_dash/templates/django_plotly_dash/plotly_app_bootstrap.html b/django_plotly_dash/templates/django_plotly_dash/plotly_app_bootstrap.html
@@ -1,3 +1,3 @@
 <div class="embed-responsive embed-responsive-{{aspect}}">
-  <iframe src="{{app.base_url}}" class="embed-responsive-item" sandbox="allow-downloads allow-scripts allow-same-origin"></iframe>
+  <iframe src="{{app.base_url}}" class="embed-responsive-item" sandbox="{{sandbox_settings}}"></iframe>
 </div>
diff --git a/django_plotly_dash/templatetags/plotly_dash.py b/django_plotly_dash/templatetags/plotly_dash.py
@@ -31,10 +31,25 @@
 from django_plotly_dash.models import DashApp
 from django_plotly_dash.util import pipe_ws_endpoint_name, store_initial_arguments
 
+
 register = template.Library()
 
+
 ws_default_url = "/%s" % pipe_ws_endpoint_name()
 
+
+SANDBOX_SETTINGS = ["allow-downloads",
+                    "allow-scripts",
+                    "allow-same-origin",
+                    "allow-modals",
+                    "allow-popups",
+                    "allow-popups-to-escape-sandbox",
+                    ]
+
+
+SANDBOX_STRING = " ".join(SANDBOX_SETTINGS)
+
+
 def _locate_daapp(name, slug, da, cache_id=None):
 
     app = None
@@ -75,8 +90,11 @@ def plotly_app(context, name=None, slug=None, da=None, ratio=0.1, use_frameborde
 
     da, app = _locate_daapp(name, slug, da, cache_id=cache_id)
 
+    sandbox_settings = SANDBOX_STRING
+    
     return locals()
 
+
 @register.inclusion_tag("django_plotly_dash/plotly_app_bootstrap.html", takes_context=True)
 def plotly_app_bootstrap(context, name=None, slug=None, da=None, aspect="4by3", initial_arguments=None):
     'Insert a dash application using a html iframe'
@@ -95,18 +113,23 @@ def plotly_app_bootstrap(context, name=None, slug=None, da=None, aspect="4by3",
 
     da, app = _locate_daapp(name, slug, da, cache_id=cache_id)
 
+    sandbox_settings = SANDBOX_STRING
+    
     return locals()
 
+
 @register.simple_tag(takes_context=True)
 def plotly_header(context):
     'Insert placeholder for django-plotly-dash header content'
     return context.request.dpd_content_handler.header_placeholder
 
+
 @register.simple_tag(takes_context=True)
 def plotly_footer(context):
     'Insert placeholder for django-plotly-dash footer content'
     return context.request.dpd_content_handler.footer_placeholder
 
+
 @register.inclusion_tag("django_plotly_dash/plotly_direct.html", takes_context=True)
 def plotly_direct(context, name=None, slug=None, da=None):
     'Direct insertion of a Dash app'
@@ -130,12 +153,14 @@ def plotly_direct(context, name=None, slug=None, da=None):
 
     return locals()
 
+
 @register.inclusion_tag("django_plotly_dash/plotly_messaging.html", takes_context=True)
 def plotly_message_pipe(context, url=None):
     'Insert script for providing background websocket connection'
     url = url if url else ws_default_url
     return locals()
 
+
 @register.simple_tag()
 def plotly_app_identifier(name=None, slug=None, da=None, postfix=None):
     'Return a slug-friendly identifier'
@@ -148,6 +173,7 @@ def plotly_app_identifier(name=None, slug=None, da=None, postfix=None):
         return "%s-%s" %(slugified_id, postfix)
     return slugified_id
 
+
 @register.simple_tag()
 def plotly_class(name=None, slug=None, da=None, prefix=None, postfix=None, template_type=None):
     'Return a string of space-separated class names'
@@ -158,6 +184,7 @@ def plotly_class(name=None, slug=None, da=None, prefix=None, postfix=None, templ
                                      postfix=postfix,
                                      template_type=template_type)
 
+
 @register.simple_tag(takes_context=True)
 def site_root_url(context):
     'Provide the root url of the demo site'
