This is an automated email from the ASF dual-hosted git repository.
pierrejeambrun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 4c7d43c4f30 fix: enable iframe script execution (#52257)
4c7d43c4f30 is described below
commit 4c7d43c4f30f6e09b4afd90e7c0a240cc32ea09b
Author: Zhen-Lun (Kevin) Hong <[email protected]>
AuthorDate: Mon Jun 30 21:09:42 2025 +0800
fix: enable iframe script execution (#52257)
* fix: enable iframe script execution
* fix: include vite env variables when transpiling typescripts
* fix: add explanations to sandbox settings
* fix: remove csp change
---
airflow-core/src/airflow/ui/src/pages/Iframe.tsx | 6 +++++-
airflow-core/src/airflow/ui/src/pages/Security.tsx | 13 +++++++------
scripts/ci/pre_commit/ts_compile_lint_ui.py | 2 ++
3 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/airflow-core/src/airflow/ui/src/pages/Iframe.tsx
b/airflow-core/src/airflow/ui/src/pages/Iframe.tsx
index 9256a463b08..b6e3aa00cc9 100644
--- a/airflow-core/src/airflow/ui/src/pages/Iframe.tsx
+++ b/airflow-core/src/airflow/ui/src/pages/Iframe.tsx
@@ -44,10 +44,14 @@ export const Iframe = () => {
return <ErrorPage />;
}
+ // The following iframe sandbox setting is intentionally less restrictive.
+ // ONLY trusted contents can be framed within Iframe.
+ const sandbox = "allow-same-origin allow-forms";
+
return (
<Box flexGrow={1} m={-3}>
<iframe
- sandbox="allow-same-origin allow-forms"
+ sandbox={sandbox}
src={iframeView.href}
style={{ height: "100%", width: "100%" }}
title={iframeView.name}
diff --git a/airflow-core/src/airflow/ui/src/pages/Security.tsx
b/airflow-core/src/airflow/ui/src/pages/Security.tsx
index 3a6061478eb..d984935ffdb 100644
--- a/airflow-core/src/airflow/ui/src/pages/Security.tsx
+++ b/airflow-core/src/airflow/ui/src/pages/Security.tsx
@@ -43,14 +43,15 @@ export const Security = () => {
return <ErrorPage />;
}
+ // The following iframe sandbox setting is intentionally less restrictive.
+ // This is considered safe because the framed content originates from the
Auth manager,
+ // which is part of the deployment of Airflow and trusted as per our
security policy.
+ //
https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html
+ const sandbox = "allow-scripts allow-same-origin allow-forms";
+
return (
<Box flexGrow={1} m={-3}>
- <iframe
- sandbox="allow-same-origin allow-forms"
- src={link.href}
- style={{ height: "100%", width: "100%" }}
- title={link.text}
- />
+ <iframe sandbox={sandbox} src={link.href} style={{ height: "100%",
width: "100%" }} title={link.text} />
</Box>
);
};
diff --git a/scripts/ci/pre_commit/ts_compile_lint_ui.py
b/scripts/ci/pre_commit/ts_compile_lint_ui.py
index 3e817285e22..93fdcd149b7 100755
--- a/scripts/ci/pre_commit/ts_compile_lint_ui.py
+++ b/scripts/ci/pre_commit/ts_compile_lint_ui.py
@@ -47,6 +47,8 @@ if __name__ == "__main__":
all_non_yaml_files = [file for file in files if not file.endswith(".yaml")]
print("All non-YAML files:", all_non_yaml_files)
all_ts_files = [file for file in files if file.endswith(".ts") or
file.endswith(".tsx")]
+ if all_ts_files:
+ all_ts_files.append("src/vite-env.d.ts")
print("All TypeScript files:", all_ts_files)
run_command(["pnpm", "config", "set", "store-dir", ".pnpm-store"], cwd=dir)
