fix: enable iframe script execution (apache#52257)

kevinhongzl · web-flow · commit 4c7d43c4f30f · 2025-06-30T15:09:42.000+02:00
* fix: enable iframe script execution

* fix: include vite env variables when transpiling typescripts

* fix: add explanations to sandbox settings

* fix: remove csp change
diff --git a/airflow-core/src/airflow/ui/src/pages/Iframe.tsx b/airflow-core/src/airflow/ui/src/pages/Iframe.tsx
@@ -44,10 +44,14 @@ export const Iframe = () => {
     return <ErrorPage />;
   }
 
+  // The following iframe sandbox setting is intentionally less restrictive.
+  // ONLY trusted contents can be framed within Iframe.
+  const sandbox = "allow-same-origin allow-forms";
+
   return (
     <Box flexGrow={1} m={-3}>
       <iframe
-        sandbox="allow-same-origin allow-forms"
+        sandbox={sandbox}
         src={iframeView.href}
         style={{ height: "100%", width: "100%" }}
         title={iframeView.name}
diff --git a/airflow-core/src/airflow/ui/src/pages/Security.tsx b/airflow-core/src/airflow/ui/src/pages/Security.tsx
@@ -43,14 +43,15 @@ export const Security = () => {
     return <ErrorPage />;
   }
 
+  // The following iframe sandbox setting is intentionally less restrictive.
+  // This is considered safe because the framed content originates from the Auth manager,
+  // which is part of the deployment of Airflow and trusted as per our security policy.
+  //    https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html
+  const sandbox = "allow-scripts allow-same-origin allow-forms";
+
   return (
     <Box flexGrow={1} m={-3}>
-      <iframe
-        sandbox="allow-same-origin allow-forms"
-        src={link.href}
-        style={{ height: "100%", width: "100%" }}
-        title={link.text}
-      />
+      <iframe sandbox={sandbox} src={link.href} style={{ height: "100%", width: "100%" }} title={link.text} />
     </Box>
   );
 };
diff --git a/scripts/ci/pre_commit/ts_compile_lint_ui.py b/scripts/ci/pre_commit/ts_compile_lint_ui.py
@@ -47,6 +47,8 @@
     all_non_yaml_files = [file for file in files if not file.endswith(".yaml")]
     print("All non-YAML files:", all_non_yaml_files)
     all_ts_files = [file for file in files if file.endswith(".ts") or file.endswith(".tsx")]
+    if all_ts_files:
+        all_ts_files.append("src/vite-env.d.ts")
     print("All TypeScript files:", all_ts_files)
 
     run_command(["pnpm", "config", "set", "store-dir", ".pnpm-store"], cwd=dir)
