Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kalamar / 0d0dc6bc356a4f5f27e1fdce7480ee80ef88ea44^! / . / dev / js / src / plugin / service.js
commit0d0dc6bc356a4f5f27e1fdce7480ee80ef88ea44[log] [tgz]
authorMarc Kupietz <kupietz@ids-mannheim.de>Sun Feb 15 08:43:12 2026 +0100
committerHelge <stallkamp@ids-mannheim.de>Mon May 04 11:32:54 2026 +0200
tree5c98baf293d346ac0fe4ebefd383d2bf96aa415b
parent507dd23119e4548574ca825e729ad287a3fef23a [diff] [blame]
Restrict allow-same-origin to plugins that actually ARE AND request it

Only grant allow-same-origin sandbox permission to plugins that
explicitly request it AND are hosted on the same origin as the
application. Cross-origin plugins requesting same-origin are denied
with a warning log.

To request same-origin, you need to add this in the local plugin
configurarzin, for example as follows:

```
{
  "name" : "Export",
  "desc" : "Exports Kalamar results",
  "embed" : [{
    "panel" : "result",
    "title" : "exports KWICs and snippets",
    "icon" : "\uf019",
    "classes" : ["button-icon", "plugin" ],
    "onClick" : {
      "action" : "addWidget",
      "template" : "https://korap.ids-mannheim.de/instance/test-docker/plugin/export/export",
      "permissions" : ["forms", "scripts", "downloads", "same-origin" ]
    }
  }]
}
```

Change-Id: Ifcaddc4f39023c4d885921b2d527f5748811c78d

diff --git a/dev/js/src/plugin/service.js b/dev/js/src/plugin/service.js
index aa00182..ef6836c 100644
--- a/dev/js/src/plugin/service.js
+++ b/dev/js/src/plugin/service.js

@@ -3,14 +3,28 @@
 define(function () {
 
   // Limit the supported sandbox permissions, especially
-  // to disallow 'same-origin'.
+  // to disallow 'same-origin' unless explicitly requested
+  // and the plugin is hosted on the same origin.
   let allowed = {
     "scripts" : 1,
     "presentation" : 1,
     "forms": 1,
     "downloads-without-user-activation" : 1,
     "downloads" : 1,
-    "popups" : 1
+    "popups" : 1,
+    "same-origin" : 1
+  };
+
+  /**
+   * Check if a URL is on the same origin as the current page.
+   */
+  function _isSameOrigin (src) {
+    try {
+      const url = new URL(src, window.location.href);
+      return url.origin === window.location.origin;
+    } catch (e) {
+      return false;
+    }
   };
 
   return {
@@ -71,7 +85,14 @@
       e.setAttribute('frameborder', 0);
       // Allow forms in Plugins
       let permissions = Array.from(this._perm).sort().map(function(i){ return "allow-"+i });
-      permissions.push("allow-same-origin");
+
+      // Only grant same-origin if plugin explicitly requested it
+      // AND is hosted on the same origin (security gate)
+      if (this._perm.has("same-origin") && !_isSameOrigin(this.src)) {
+        permissions = permissions.filter(function(p) { return p !== "allow-same-origin" });
+        KorAP.log(0, "Ignoring same-origin permission for cross-origin plugin");
+      };
+
       e.setAttribute('sandbox', permissions.join(" "));
       e.style.height = '0px';
       e.setAttribute('name', this.id);