Set sandbox permissions for redditgifts-embed iframe

2026-04-27 03:00:12 -04:00 · 2016-01-13 14:42:21 -08:00
parent bf9368ea9f
commit 75143f2b5f
1 changed files with 13 additions and 2 deletions
--- a/r2/r2/controllers/promotecontroller.py
+++ b/r2/r2/controllers/promotecontroller.py
@@ -1059,13 +1059,24 @@ class PromoteApiController(ApiController):
                    form.set_error(errors.BAD_URL, "gifts_embed_url")
                    return

+                sandbox = (
+                    'allow-popups',
+                    'allow-forms',
+                    'allow-same-origin',
+                    'allow-scripts',
+                )
+                iframe_attributes = {
+                    'embed_url': websafe(iframe_embed_url),
+                    'sandbox': ' '.join(sandbox),
+                }
                iframe = """
                    <iframe class="redditgifts-embed"
                            src="%(embed_url)s"
                            width="710" height="500" scrolling="no"
-                            frameborder="0" allowfullscreen>
+                            frameborder="0" allowfullscreen
+                            sandbox="%(sandbox)s">
                    </iframe>
-                """ % {'embed_url': websafe(gifts_embed_url)}
+                """ % iframe_attributes
                media_object = {
                    'oembed': {
                        'description': 'redditgifts embed',