rfellows opened a new pull request, #10842: URL: https://github.com/apache/nifi/pull/10842
[NIFI-15537](https://issues.apache.org/jira/browse/NIFI-15537) ## Summary - Add `sandbox` attribute to iframe elements used for advanced UIs and content viewers to restrict potentially untrusted content - Add `referrerpolicy="strict-origin-when-cross-origin"` to limit referrer information sent to iframe content - Add `title` attributes for accessibility compliance - Ran prettier, hence the change in the bulletins-tip. ## Details Custom UI extensions and content viewers are loaded in iframes and may contain third-party or user-provided content. This change applies defense-in-depth security measures: **Sandbox restrictions:** - `allow-scripts` - Required for UI functionality - `allow-same-origin` - Required for communication with the parent frame - `allow-forms` - Only enabled for the advanced configuration UI where form submission is needed; omitted for the read-only content viewer **Referrer policy:** - `strict-origin-when-cross-origin` prevents leaking full URL paths to cross-origin iframe content while still allowing same-origin requests to function normally **Accessibility:** - Added descriptive `title` attributes to iframes for screen reader users **Dependabot:** - Also addressed: https://github.com/apache/nifi/security/dependabot/540 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
