Fix plugin sandbox permissions
Add `allow-same-origin` to the iframe sandbox attribute. This allows
plugins to share the origin with the application, enabling access to
session cookies and fixing CORS failures in strict browsers (Firefox,
Safari).
Change-Id: Ic3ff8a343f406a44cc673097f0eeb2be74050f5b
diff --git a/dev/js/src/plugin/service.js b/dev/js/src/plugin/service.js
index d6af83e..aa00182 100644
--- a/dev/js/src/plugin/service.js
+++ b/dev/js/src/plugin/service.js
@@ -70,7 +70,9 @@
e.setAttribute('allowTransparency',"true");
e.setAttribute('frameborder', 0);
// Allow forms in Plugins
- e.setAttribute('sandbox', Array.from(this._perm).sort().map(function(i){ return "allow-"+i }).join(" "));
+ let permissions = Array.from(this._perm).sort().map(function(i){ return "allow-"+i });
+ permissions.push("allow-same-origin");
+ e.setAttribute('sandbox', permissions.join(" "));
e.style.height = '0px';
e.setAttribute('name', this.id);
e.setAttribute('src', this.src);