Restrict allow-same-origin to plugins that actually ARE AND request it
Only grant allow-same-origin sandbox permission to plugins that
explicitly request it AND are hosted on the same origin as the
application. Cross-origin plugins requesting same-origin are denied
with a warning log.
To request same-origin, you need to add this in the local plugin
configurarzin, for example as follows:
```
{
"name" : "Export",
"desc" : "Exports Kalamar results",
"embed" : [{
"panel" : "result",
"title" : "exports KWICs and snippets",
"icon" : "\uf019",
"classes" : ["button-icon", "plugin" ],
"onClick" : {
"action" : "addWidget",
"template" : "https://korap.ids-mannheim.de/instance/test-docker/plugin/export/export",
"permissions" : ["forms", "scripts", "downloads", "same-origin" ]
}
}]
}
```
Change-Id: Ifcaddc4f39023c4d885921b2d527f5748811c78d
diff --git a/Changes b/Changes
index fcf47d5..fe45132 100644
--- a/Changes
+++ b/Changes
@@ -11,6 +11,7 @@
- Fix test suite for "allow-same-origin" sandbox rule (diewald)
- Escape commas and asterisks in query-by-match query creator (kupietz, hebasta)
- Tests for configurable hint foundries added (hebasta)
+ - Restrict allow-same-origin to plugins that actually ARE AND request it (Requires the export plugin >= 0.4.1)(kupietz, tests hebasta)
0.64 2026-02-14
- Improve 'Plugins' mounting (diewald)