commit 0d0dc6bc356a4f5f27e1fdce7480ee80ef88ea44
author Marc Kupietz <kupietz@ids-mannheim.de> Sun Feb 15 08:43:12 2026 +0100
committer Helge <stallkamp@ids-mannheim.de> Mon May 04 11:32:54 2026 +0200
tree 5c98baf293d346ac0fe4ebefd383d2bf96aa415b
parent 507dd23119e4548574ca825e729ad287a3fef23a

Restrict allow-same-origin to plugins that actually ARE AND request it

Only grant allow-same-origin sandbox permission to plugins that
explicitly request it AND are hosted on the same origin as the
application. Cross-origin plugins requesting same-origin are denied
with a warning log.

To request same-origin, you need to add this in the local plugin
configurarzin, for example as follows:

```
{
  "name" : "Export",
  "desc" : "Exports Kalamar results",
  "embed" : [{
    "panel" : "result",
    "title" : "exports KWICs and snippets",
    "icon" : "\uf019",
    "classes" : ["button-icon", "plugin" ],
    "onClick" : {
      "action" : "addWidget",
      "template" : "https://korap.ids-mannheim.de/instance/test-docker/plugin/export/export",
      "permissions" : ["forms", "scripts", "downloads", "same-origin" ]
    }
  }]
}
```

Change-Id: Ifcaddc4f39023c4d885921b2d527f5748811c78d

dev/js/spec/pluginSpec.js

diff --git a/dev/js/spec/pluginSpec.js b/dev/js/spec/pluginSpec.js
index 4195fab..32a6e5e 100644
--- a/dev/js/spec/pluginSpec.js
+++ b/dev/js/spec/pluginSpec.js
@@ -204,7 +204,8 @@
           title : 'Add',
           onClick : {
             template : 'about:blank',
-            action : 'setWidget'
+            action : 'setWidget',
+            permissions: ['same-origin'] // Temporary
           }
         }]
       });
@@ -417,10 +418,10 @@
       expect(b.getAttribute("title")).toEqual("Add something");
       b.click();
       expect(p.element().querySelectorAll("iframe").length).toEqual(1);
-      expect(p.element().querySelector("iframe").getAttribute('sandbox')).toEqual('allow-forms allow-scripts allow-same-origin'); // Temporary
+      expect(p.element().querySelector("iframe").getAttribute('sandbox')).toEqual('allow-forms allow-scripts');
     });
   });
-  
+
   describe('KorAP.Plugin.Widget', function () {
     it('should be initializable', function () {
       expect(function () { widgetClass.create() }).toThrow(new Error("Service not well defined"));
@@ -447,7 +448,7 @@
 
       var iframe = we.firstChild;
       expect(iframe.tagName).toEqual("IFRAME");
-      expect(iframe.getAttribute("sandbox")).toEqual("allow-forms allow-scripts allow-same-origin");  // Temporary
+      expect(iframe.getAttribute("sandbox")).toEqual("allow-forms allow-scripts");
       expect(iframe.getAttribute("src")).toEqual("https://example");
       expect(iframe.getAttribute("name")).toEqual("56");
       
@@ -507,6 +508,31 @@
       expect(i.getAttribute("name")).toEqual(''+service.id);
       expect(i.getAttribute("src")).toEqual(service.src);
     });
+    
+    // Temporary
+    it('should grant same-origin for same-origin plugins', function () {
+    // about:blank inherits current origin
+    let service = serviceClass.create({
+      "name": "Test",
+      "src": window.location.origin + "/plugin.html",
+      "id": 1,
+      "permissions": ["same-origin"]
+    });
+    let iframe = service.load();
+    expect(iframe.getAttribute("sandbox")).toContain("allow-same-origin");
+    });
+    //Temporary
+    it('should deny same-origin for cross-origin plugins', function () {
+    let service = serviceClass.create({
+      "name": "Test", 
+      "src": "https://evil.example.com/plugin.html",
+      "id": 2,
+      "permissions": ["same-origin"]
+    });
+    let iframe = service.load();
+    expect(iframe.getAttribute("sandbox")).not.toContain("allow-same-origin");
+   });
+
   });
   
   describe('KorAP.Plugin.QueryPanel', function () {