From 0c2c48802fdbde0c0b9af62cf8d2688b747ac75c Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 21 Feb 2026 21:25:51 +0000 Subject: [PATCH] [ci skip] Sandbox proxy iframe to prevent frame-busting Add sandbox attribute to prevent proxied pages from navigating top.location or replacing the parent page body. Allows scripts, same-origin, forms, popups, and presentation but blocks top-navigation. --- modules/kubernetes/f1-stream/files/static/js/streams.js | 3 ++- modules/kubernetes/f1-stream/main.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/kubernetes/f1-stream/files/static/js/streams.js b/modules/kubernetes/f1-stream/files/static/js/streams.js index a9cea4ce..21b634f4 100644 --- a/modules/kubernetes/f1-stream/files/static/js/streams.js +++ b/modules/kubernetes/f1-stream/files/static/js/streams.js @@ -362,10 +362,11 @@ function openBrowserSession(streamId, streamTitle, streamURL) { // Remove any existing iframe contentEl.querySelectorAll('.browser-iframe').forEach(el => el.remove()); - // Create iframe + // Create iframe with sandbox to prevent frame-busting and top-navigation const iframe = document.createElement('iframe'); iframe.src = proxyURL; iframe.className = 'browser-iframe'; + iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin allow-forms allow-popups allow-popups-to-escape-sandbox allow-presentation'); iframe.setAttribute('allowfullscreen', ''); iframe.onload = function() { loader.classList.add('hidden'); diff --git a/modules/kubernetes/f1-stream/main.tf b/modules/kubernetes/f1-stream/main.tf index 4e6657ea..62dd68e2 100644 --- a/modules/kubernetes/f1-stream/main.tf +++ b/modules/kubernetes/f1-stream/main.tf @@ -37,7 +37,7 @@ resource "kubernetes_deployment" "f1-stream" { } spec { container { - image = "viktorbarzin/f1-stream:v1.2.3" + image = "viktorbarzin/f1-stream:v1.2.4" name = "f1-stream" resources { limits = {