Skip to content

fix: enable iframe script execution #52257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 30, 2025
Merged

fix: enable iframe script execution #52257

merged 4 commits into from
Jun 30, 2025

Conversation

kevinhongzl
Copy link
Contributor

@kevinhongzl kevinhongzl commented Jun 25, 2025
edited by eladkal
Loading

closes: #50373
closes: #51836

What

Auth manager pages are embedded in the webUI using iframes. However, the current sandbox lacks the allow-script permission, which breaks the functionality of auth manager because it is built with FAB.

How

  • enable allow-scripts in iframe
  • implement source restriction with CSP, allowing only contents from the backend server.
  • bypass missing-sandbox check*

*note: adding allow-script and removing allow-same-origin at the same time would prevent the fab auth manager from accessing its resources, thus also breaking its functionality. Given that we are only embedding trusted sources, I think it is acceptable to relax the sandbox restriction here.

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@boring-cyborg boring-cyborg bot added the area:UI Related to UI/UX. For Frontend Developers. label Jun 25, 2025
@kevinhongzl kevinhongzl force-pushed the enable-script-exec-in-security branch from 12a43a8 to 0e2289a Compare June 25, 2025 15:56
@pierrejeambrun pierrejeambrun added this to the Airflow 3.0.3 milestone Jun 25, 2025
pierrejeambrun
pierrejeambrun reviewed Jun 25, 2025
View reviewed changes
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice thanks for the PR, overall looks good. I'll do a user test tomorrow.

Just one question

pierrejeambrun
pierrejeambrun approved these changes Jun 26, 2025
View reviewed changes
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM just one suggestion

pierrejeambrun
pierrejeambrun reviewed Jun 26, 2025
View reviewed changes
@pierrejeambrun
Copy link
Member

pierrejeambrun commented Jun 26, 2025
edited
Loading

Just remembered that this was discussed before and shouldn't be done in AF3 but at the proxy level. Check #49895 for more details, we have documentation about that.

@pierrejeambrun
Copy link
Member

pierrejeambrun commented Jun 26, 2025
edited
Loading

Just remembered that this was discussed before and shouldn't be done in AF3 but at the proxy level. Check ?ttps://github.com//issues/49895 for more details, we have documentation about that.

Actually that's for the content security policy part of this PR (which should be removed), we still need the allow-script part though.

This was referenced Jun 26, 2025
Closed
Closed
@pierrejeambrun
Copy link
Member

Can you also do the same (enable script) on the Plugin iframe pages/Iframe.tsx

@kevinhongzl kevinhongzl force-pushed the enable-script-exec-in-security branch from 3bf5220 to 5a1b168 Compare June 27, 2025 23:08
@kevinhongzl
Copy link
Contributor Author

Some updates:

  1. The root cause of error TS2339 was that tsc couldn't recognize the import.meta.env environment variable injected by vite. But tsc encounted this var in Error.ts (an upstream dependency of Security.ts) during compilation. I resolved this by including the definition vite-env.d.ts for tsc whenever ts is compiled.

  2. Eslint removes single line comments before dealing with sandbox, so I failed to bypass the check by adding comments around iframes. Instead, I created variables for the sandbox settings and added explanations above them. I believe this is a clear way to document our reasoning here.

@kevinhongzl kevinhongzl force-pushed the enable-script-exec-in-security branch from 5429c53 to ad34055 Compare June 30, 2025 12:29
@pierrejeambrun pierrejeambrun added the backport-to-v3-0-test Mark PR with this label to backport to v3-0-test branch label Jun 30, 2025
@pierrejeambrun pierrejeambrun merged commit 4c7d43c into apache:main Jun 30, 2025
54 checks passed
@github-actions GitHub Actions
Copy link

Backport failed to create: v3-0-test. View the failure log Run details

Status Branch Result
v3-0-test Commit Link

You can attempt to backport this manually by running:

cherry_picker 4c7d43c v3-0-test

This should apply the commit to the v3-0-test branch and leave the commit in conflict state marking
the files that need manual conflict resolution.

After you have resolved the conflicts, you can continue the backport process by running:

cherry_picker --continue

pierrejeambrun pushed a commit to astronomer/airflow that referenced this pull request Jun 30, 2025
@kevinhongzl @pierrejeambrun
fix: enable iframe script execution (apache#52257)
b593ebc 
* fix: enable iframe script execution

* fix: include vite env variables when transpiling typescripts

* fix: add explanations to sandbox settings

* fix: remove csp change

(cherry picked from commit 4c7d43c)
@pierrejeambrun
Copy link
Member

Manual backport #52568

pierrejeambrun added a commit that referenced this pull request Jun 30, 2025
@pierrejeambrun @kevinhongzl
fix: enable iframe script execution (#52257) (#52568)
7d9cc05 
* fix: enable iframe script execution

* fix: include vite env variables when transpiling typescripts

* fix: add explanations to sandbox settings

* fix: remove csp change

(cherry picked from commit 4c7d43c)

Co-authored-by: Zhen-Lun (Kevin) Hong <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierrejeambrun pierrejeambrun pierrejeambrun approved these changes

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@potiuk potiuk Awaiting requested review from potiuk potiuk is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@gopidesupavan gopidesupavan Awaiting requested review from gopidesupavan gopidesupavan is a code owner

Assignees
No one assigned
Labels
area:UI Related to UI/UX. For Frontend Developers. backport-to-v3-0-test Mark PR with this label to backport to v3-0-test branch
Projects
None yet
Milestone
Airflow 3.0.3
Development

Successfully merging this pull request may close these issues.

"Search" Panel in Security Menu Inaccessible in Airflow 3.0.2 "Blocked script execution" in security/users page
2 participants
@kevinhongzl @pierrejeambrun