You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is there a way to mitigate this? I'd love to keep some of this executable logic in the child window, but the issues above are both things we need to know before we can even begin to render.
Also we're limited to having to do a lot synchronously, since if the component author wants to render a popup, we have to do everything in the same frame as the button click.
Thoughts?
The text was updated successfully, but these errors were encountered:
Leaning in the direction of a 'yes' on this. Reasons:
We're already allowing functions for prop defaults
At least the component definition should always be pretty lightweight, meaning whoever is pulling it in should be able to easily scan it for vulnerabilities
It's still possible to write 'javascript free' component definitions if you want to, as a subset of possible definitions
The way I've been designing this so far is to prevent any custom javascript from running on the parent site.
This makes it safer for component users, because they can see that the only code they're running is:
xcomponent
, which is open source and unlikely to contain vulnerabilitiesBut allowing parent-side logic is becoming more and more necessary, for features like:
And probably other future features.
Is there a way to mitigate this? I'd love to keep some of this executable logic in the child window, but the issues above are both things we need to know before we can even begin to render.
Also we're limited to having to do a lot synchronously, since if the component author wants to render a popup, we have to do everything in the same frame as the button click.
Thoughts?
The text was updated successfully, but these errors were encountered: