<iframe> tag cause open redirect

[k1tten]

If the source website has the script like this:

<script type="text/javascript">
if(window != top) {
    top.location.href = location.href;
}
</script>

It may cause a open redirect issue on codimd.
I use www.plurk.com which has anti-clickjacking code to demo.

Demo Link in demo.codimd.org

<iframe src="https://www.plurk.com/k1tten_">

Broswer verison:

Safari 11.0.2: triggered
Firefox Quantum 62.0 : triggered
Chrome 68.0.3440.106: not triggered

[ccoenen]

you may add a sandbox attribute to your iframe, if you want.

https://demo.codimd.org/k2jQRdqATQqr5_A2pa-Mtg

<iframe src="https://www.plurk.com/k1tten_" sandbox>

(there's also options what is and isn't allowed, documentation at https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox )

[SISheogorath]

We should consider to set sandbox attributes to all non-integreated iframes. (Yes, this may breaks some existing notes.)

Needs some testing but especially for things like youtube and slideshare. All embeddings on the features page, should continue to work.