fix: sandboxed iFrames with srcDoc

[riodeuno]

Description

Change iFrame widgets to use sandbox mode if srcDoc is provided
Allowed options:
allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-scripts allow-top-navigation-by-user-activation

The sandbox attribute is configurable with APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX env variable.

Fixes #TBD

Type of change

• Disallows iFrames with srcDocs to use same-origin requests. Can change how some user apps behave.

How Has This Been Tested?

• TBD

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Test coverage results 🧪

🟢 Total coverage has increased

// Code coverage diff between base branch:release and head branch: sandboxed-iframes 

Status	File	% Stmts	% Branch	% Funcs	% Lines
🟢	total	55.74 (0)	37.07 (0.02)	35.8 (0)	56.1 (0)
🟢	app/client/src/utils/WorkerUtil.ts	89.76 (0.78)	72.55 (3.92)	100 (0)	93.33 (0.95)
🟢	app/client/src/utils/autocomplete/TernServer.ts	52.94 (0.23)	41.67 (0.84)	36.21 (0)	56.99 (0.25)

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/get-appsmith/appsmith/E9HPKoUc2LewNPmFQ7TpBX9k3A55
✅ Preview: https://appsmith-git-sandboxed-iframes-get-appsmith.vercel.app

[github-actions]

Unable to find test scripts. Please add necessary tests to the PR.

[github-actions]

Unable to find test scripts. Please add necessary tests to the PR.

[sharat87]

Can we merge this?

[github-actions]

This PR has not seen activitiy for a while. It will be closed in 7 days unless further activity is detected.

[github-actions]

This PR has been closed because of inactivity.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
appsmith	✅ Ready (Inspect)	Visit Preview	Oct 4, 2022 at 7:57AM (UTC)

[github-actions]

Unable to find test scripts. Please add necessary tests to the PR.

[sharat87]

@riodeuno @mohanarpit, could the two of you take a look at this PR please? I'd like to merge this in soon so we can start working on adding a UI for this setting in Admin Settings.

[sharat87]

Prettier wouldn't be happy until I wrote it like this. Is there a better way to express this, or is this okay?

[riodeuno]

This is ok, as we're only making sure that the value is a string or array with length greater than zero.

[sharat87]

Oh yeah, I meant the splitting of process.env.APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX into two lines, which, honestly looks not very prettier. Sorry, should've been clearer. 🙂

[riodeuno]

Opinion: The whole line width hoopla is probably due to side-by-side diffs and old CRT resolutions. With top-down diffs, we can technically increase the number of characters to display in a line by quite a bit. We used to have 80 characters, 120 is today's default, most likely we'll see it increase to 160+ characters in the near future.

[sharat87]

Oh sure, I won't bother to disagree, but even if we want to solve this line-length thingy here, this screenshot looks a lot better than what we have here. Hate that prettier thinks this is, well, prettier.

[riodeuno]

Agreed. By virtue of being input agnostic software (handles unknown code purely based on language syntax), it has issues.

[sharat87]

/ok-to-test sha=3c1126c

[github-actions]

Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3152188894.
Workflow: Appsmith External Integration Test Workflow.
Commit: 3c1126c.
PR: 11426.

[sharat87]

/ok-to-test sha=f2b5f2b

[github-actions]

Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3157093106.
Workflow: Appsmith External Integration Test Workflow.
Commit: f2b5f2b.
PR: 11426.

[github-actions]

UI Performance test run logs and artifacts: https://github.com/appsmithorg/appsmith/actions/runs/3157093106.
Commit: ``.
Results:

Click to view performance test results

	Run 1 (ms)	Run 2 (ms)	Run 3 (ms)	Run 4 (ms)	Run 5 (ms)	Minimum (ms)	Median (ms)	Mean (ms)	Range (%)	SD.Sample (%)	SD.Population (%)
SELECT_CATEGORY
scripting	356.08	420.52	356.2	398.84		356.08	377.52	382.91	16.83	8.40	7.27
painting	6.46	5.28	3.81	3.46		3.46	4.545	4.75	63.16	29.05	25.26
rendering	111.75	108.01	107.23	108.39		107.23	108.2	108.84	4.15	1.84	1.59
BIND_TABLE_DATA
scripting	971.92	1122.76	1116.03	999.81		971.92	1057.92	1052.63	14.33	7.41	6.42
painting	15.1	21.74	20.12	19.93		15.1	20.025	19.22	34.55	14.93	12.90
rendering	802.57	818.6	811.9	819.83		802.57	815.25	813.23	2.12	0.97	0.84
CLICK_ON_TABLE_ROW
scripting	1107.08	898.94	924.35	984.76		898.94	954.5550000000001	978.78	21.27	9.48	8.21
painting	9.83	11.57	10.91	9.4		9.4	10.370000000000001	10.43	20.81	9.49	8.25
rendering	296.46	307.82	302.08	303.26		296.46	302.66999999999996	302.4	3.76	1.54	1.34
UPDATE_POST_TITLE
scripting	1564.46	1274.77	1328.15	1481.88		1274.77	1405.015	1412.32	20.51	9.50	8.23
painting	20.3	12.46	14.41	15.59		12.46	15	15.69	49.97	21.22	18.42
rendering	611.46	587.17	598.48	610.09		587.17	604.2850000000001	601.8	4.04	1.89	1.64
OPEN_MODAL
scripting	456.59	448.09	922.48	468.81		448.09	462.7	573.99	82.65	40.50	35.08
painting	12.66	12.82	16.39	12.3		12.3	12.74	13.54	30.21	14.11	12.19
rendering	1227.25	1202.49	1224.2	1212.86		1202.49	1218.53	1216.7	2.04	0.93	0.81
CLOSE_MODAL
scripting	241.26	226.72	201.29	235.87		201.29	231.29500000000002	226.28	17.66	7.83	6.78
painting	12.41	4.02	5.99	5.1		4.02	5.545	6.88	121.95	54.80	47.53
rendering	870.73	900.88	886.92	893.71		870.73	890.315	888.06	3.40	1.45	1.26
SELECT_WIDGET_MENU_OPEN
scripting	962.85	942.29	959.85	926.61	975.85	926.61	959.85	953.49	5.16	2.01	1.80
painting	9.95	7.54	6.21	7.73	5.95	5.95	7.54	7.48	53.48	21.26	18.98
rendering	650.62	662.73	661.74	650.38	638.27	638.27	650.62	652.75	3.75	1.53	1.37
SELECT_WIDGET_SELECT_OPTION
scripting	153.65	155.9	158.48	154.15	157.33	153.65	155.9	155.9	3.10	1.31	1.17
painting	5.4	5.05	1.95	6.78	4.49	1.95	5.05	4.73	102.11	37.42	33.40
rendering	310.15	309.79	311.48	309.71	303.73	303.73	309.79	308.97	2.51	0.98	0.87

[sharat87]

/ok-to-test sha=905422c

[sharat87]

/ok-to-test sha=905422c

[github-actions]

Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3173154926.
Workflow: Appsmith External Integration Test Workflow.
Commit: 905422c.
PR: 11426.

[github-actions]

UI Performance test run logs and artifacts: https://github.com/appsmithorg/appsmith/actions/runs/3173154926.
Commit: ``.
Results:

Click to view performance test results

	Run 1 (ms)	Run 2 (ms)	Run 3 (ms)	Run 4 (ms)	Run 5 (ms)	Minimum (ms)	Median (ms)	Mean (ms)	Range (%)	SD.Sample (%)	SD.Population (%)
SELECT_CATEGORY
scripting	340.72	363.44	385.04	344.89	1077.27	340.72	363.44	502.27	146.64	64.09	57.33
painting	3.41	3.04	7.29	5.51	5.84	3.04	5.51	5.02	84.66	35.26	31.67
rendering	101.88	104.58	106.91	102.67	100.17	100.17	102.67	103.24	6.53	2.51	2.25
BIND_TABLE_DATA
scripting	1110.81	1117.79	1127.24	1067.26	1063.57	1063.57	1110.81	1097.33	5.80	2.71	2.42
painting	18.83	24.02	22.97	16.02	14.3	14.3	18.83	19.23	50.55	22.00	19.71
rendering	831.43	819.26	864.7	788.8	802.11	788.8	819.26	821.26	9.24	3.56	3.18
CLICK_ON_TABLE_ROW
scripting	1065.63	1026.39	967.96	892.72	962.21	892.72	967.96	982.98	17.59	6.73	6.02
painting	10.71	10.72	11.32	8.77	9.16	8.77	10.71	10.14	25.15	10.95	9.76
rendering	335.85	328.48	316.61	300.99	318.89	300.99	318.89	320.16	10.89	4.12	3.69
UPDATE_POST_TITLE
scripting	1446.5	1529.18	1509.51	1418.17	1382.86	1382.86	1446.5	1457.24	10.04	4.21	3.77
painting	16.08	14.15	18.59	14.5	12.58	12.58	14.5	15.18	39.59	15.02	13.44
rendering	610.76	639.46	627.57	600.86	591.81	591.81	610.76	614.09	7.76	3.16	2.83
OPEN_MODAL
scripting	450.92	466.24	442.58	423.85	462.64	423.85	450.92	449.25	9.44	3.79	3.39
painting	16.31	10.79	12.4	13.91	19.08	10.79	13.91	14.5	57.17	22.55	20.14
rendering	1173.52	1207.53	1196.92	1149.55	1192.4	1149.55	1192.4	1183.98	4.90	1.93	1.73
CLOSE_MODAL
scripting	221.86	241.31	195.29	181.14	201.88	181.14	201.88	208.3	28.89	11.32	10.12
painting	12.41	5.61	9.21	8.84	4.66	4.66	8.84	8.15	95.09	38.04	33.99
rendering	868.94	917.4	891.71	872.08	893.35	868.94	891.71	888.7	5.45	2.19	1.96
SELECT_WIDGET_MENU_OPEN
scripting	944.24	988.14	963.53	961.95	967.79	944.24	963.53	965.13	4.55	1.63	1.45
painting	6.05	5.81	4.98	11.29	5.92	4.98	5.92	6.81	92.66	37.30	33.33
rendering	625.26	660.43	639.56	628.99	646.71	625.26	639.56	640.19	5.49	2.21	1.98
SELECT_WIDGET_SELECT_OPTION
scripting	152.83	164.25	165.18	163.63	177.47	152.83	164.25	164.67	14.96	5.31	4.75
painting	5.3	7.86	1.86	3.71	15.33	1.86	5.3	6.81	197.80	77.09	68.87
rendering	304.76	304.15	307.58	304.67	335.63	304.15	304.76	311.36	10.11	4.38	3.92

[sharat87]

/ok-to-test sha=5ae2f3d

[github-actions]

Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/3180681073.
Workflow: Appsmith External Integration Test Workflow.
Commit: 5ae2f3d.
PR: 11426.

[github-actions]

UI Performance test run logs and artifacts: https://github.com/appsmithorg/appsmith/actions/runs/3180681073.
Commit: ``.
Results:

Click to view performance test results

	Run 1 (ms)	Run 2 (ms)	Run 3 (ms)	Run 4 (ms)	Run 5 (ms)	Minimum (ms)	Median (ms)	Mean (ms)	Range (%)	SD.Sample (%)	SD.Population (%)
SELECT_CATEGORY
scripting	372.83	337.78	325.6	393.95	514.22	325.6	372.83	388.88	48.50	19.33	17.29
painting	3.96	6.17	5.44	4.27	5.48	3.96	5.44	5.06	43.68	18.18	16.21
rendering	129.61	105.69	105.77	108.28	130.12	105.69	108.28	115.89	21.08	11.04	9.88
BIND_TABLE_DATA
scripting	1081.74	1111.51	1013.48	967.83	1680.08	967.83	1081.74	1170.93	60.83	24.78	22.16
painting	17.19	16.55	12.62	17.43	34.17	12.62	17.19	19.59	110.01	42.78	38.23
rendering	820.97	827.67	820.9	807.32	706.74	706.74	820.9	796.72	15.18	6.38	5.71
CLICK_ON_TABLE_ROW
scripting	837.34	978.83	867.02	1011.25	1209.19	837.34	978.83	980.73	37.92	15.01	13.42
painting	7.84	18.43	8.87	9.44	11.81	7.84	9.44	11.28	93.88	37.77	33.78
rendering	290.39	320.25	318.94	323.11	360.55	290.39	320.25	322.65	21.74	7.74	6.93
UPDATE_POST_TITLE
scripting	1437.4	1547.96	1383.67	1573.84	2177.53	1383.67	1547.96	1624.08	48.88	19.65	17.57
painting	13.65	15.99	13.51	16.71	23.68	13.51	15.99	16.71	60.86	24.78	22.20
rendering	604.25	660.2	618.19	660.53	872.77	604.25	660.2	683.19	39.30	15.94	14.26
OPEN_MODAL
scripting	454.13	454.11	470.98	548.61	614.72	454.11	470.98	508.51	31.58	13.98	12.50
painting	12.69	15.96	12.03	21.45	17.32	12.03	15.96	15.89	59.28	23.98	21.46
rendering	1223.4	1226.35	1193.78	1339.88	1445.47	1193.78	1226.35	1285.78	19.57	8.19	7.32
CLOSE_MODAL
scripting	190.01	218.55	224.91	257.4	259.73	190.01	224.91	230.12	30.30	12.65	11.32
painting	5.02	5.53	5.59	12.7	6.48	5.02	5.59	7.06	108.78	45.18	40.51
rendering	975.15	935.22	897.46	972.86	1020.69	897.46	972.86	960.28	12.83	4.83	4.32
SELECT_WIDGET_MENU_OPEN
scripting	983.27	973.17	976.44	1125.1	1185.68	973.17	983.27	1048.73	20.26	9.51	8.51
painting	5.98	8.88	6.65	7.16	9.72	5.98	7.16	7.68	48.70	20.44	18.23
rendering	654.46	673.52	647.03	757.59	823.24	647.03	673.52	711.17	24.78	10.77	9.63
SELECT_WIDGET_SELECT_OPTION
scripting	164	171.4	153.98	205.93	187.52	153.98	171.4	176.57	29.42	11.60	10.37
painting	5.58	16.17	3.32	6.66	12.62	3.32	6.66	8.87	144.87	60.20	53.78
rendering	316.77	305.67	309.48	343.2	350.4	305.67	316.77	325.1	13.76	6.26	5.60