Sandbox app iframes

src/components/structures/RoomView.js

@@ -50,6 +50,8 @@ import RoomViewStore from '../../stores/RoomViewStore';
 let DEBUG = false;
 let debuglog = function() {};
 
+const BROWSER_SUPPORTS_SANDBOX = 'sandbox' in document.createElement('iframe');
+
 if (DEBUG) {
     // using bind means that we get to keep useful line numbers in the console
     debuglog = console.log.bind(console);
@@ -275,6 +277,8 @@ module.exports = React.createClass({
     },
 
     _shouldShowApps: function(room) {
+        if (!BROWSER_SUPPORTS_SANDBOX) return false;
+
         const appsStateEvents = room.currentState.getStateEvents('im.vector.modular.widgets');
         // any valid widget = show apps
         for (let i = 0; i < appsStateEvents.length; i++) {

src/components/views/elements/AppTile.js

@@ -121,7 +121,14 @@ export default React.createClass({
         } else {
             appTileBody = (
                 <div className="mx_AppTileBody">
-                    <iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"></iframe>
+                    // Note that there is advice saying allow-scripts shouldn;t be used with allow-same-origin
+                    // because that would allow the iframe to prgramatically remove the sandbox attribute, but
+                    // this would only be for content hosted on the same origin as the riot client: anything
+                    // hosted on the same origin as the client will get the same access access as if you clicked
+                    // a link to it.
+                    <iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"
+                        sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"
+                    ></iframe>
                 </div>
             );
         }