fix(security): validate + sandbox the legacy-admin iframe (#665)

legacy_url from the form-spec legacy-iframe fallback is now validated before
reaching the <iframe src> / <a href> sinks: only a same-origin http(s) URL is
framed/linked (new safeLegacyUrl helper, mirroring action-redirect.ts); a
javascript:/data:/blob: scheme or off-origin target renders an inert error
card. The iframe carries sandbox="allow-forms allow-scripts allow-same-origin".
SECURITY.md §QSEC-03 adds frame-src 'self' and documents the X-Frame-Options ↔
legacy-iframe interaction. Tests cover the validator and the rejection paths.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: martin-castro-laminr-ai

SECURITY.md

@@ -275,6 +275,7 @@ Content-Security-Policy:
   connect-src 'self';                 # the API is same-origin
   manifest-src 'self';
   worker-src 'self';                  # the PWA service worker
+  frame-src 'self';                   # legacy-admin iframe fallback (#659) — same-origin only
   frame-ancestors 'none';             # clickjacking (with X_FRAME_OPTIONS)
   base-uri 'self';
   form-action 'self';
@@ -291,6 +292,26 @@ Caveats — **validate before enforcing**:
   `style` attributes at runtime; it is far lower-risk than allowing
   inline scripts. Drop it if you verify your build needs no inline
   styles.
+- `frame-src 'self'` and the **X-Frame-Options interaction** — the SPA's
+  legacy-admin fallback (#659) embeds the legacy admin change/add page in
+  a **same-origin** `<iframe>` when a `ModelAdmin` overrides
+  `change_form_template` / `add_form_template`. `frame-src 'self'` is the
+  explicit allowlist for that frame: it both **permits** the intended
+  same-origin embed and **blocks** an off-origin `legacy_url` (defence in
+  depth — the SPA also validates the URL client-side as same-origin
+  http(s) and sandboxes the iframe with `allow-forms allow-scripts
+  allow-same-origin`). Two interaction notes:
+  - **`X_FRAME_OPTIONS = "DENY"` will break the iframe** if it is applied
+    to the legacy admin's *own* responses, because the legacy admin page
+    is what gets framed. If you use the legacy-iframe fallback, scope
+    `X-Frame-Options` (and any `frame-ancestors`) so the legacy admin
+    permits same-origin framing — e.g. set `X_FRAME_OPTIONS = "SAMEORIGIN"`
+    for the legacy admin responses, or omit the header on that mount.
+    `frame-ancestors 'none'` on the *SPA shell* is fine — it controls who
+    may frame the SPA, not what the SPA may frame.
+  - If you do **not** use a custom `change_form_template` (the SPA renders
+    every form from the JSON form-spec), no iframe is ever created and you
+    can drop `frame-src` and keep `X_FRAME_OPTIONS = "DENY"` everywhere.
 - This policy assumes the package is mounted on its own path under your
   domain. If you already ship a project-wide CSP, **merge** these
   directives rather than replacing your policy.

frontend/apps/web/src/legacy-url.test.ts

@@ -0,0 +1,37 @@
+import { describe, expect, it } from 'vitest';
+
+import { safeLegacyUrl } from './legacy-url';
+
+const ORIGIN = 'https://admin.example.com';
+
+describe('safeLegacyUrl (#665)', () => {
+  it('accepts a same-origin relative legacy-admin path and returns an absolute same-origin URL', () => {
+    expect(safeLegacyUrl({ url: '/admin/auth/group/1/change/', currentOrigin: ORIGIN })).toBe(
+      'https://admin.example.com/admin/auth/group/1/change/',
+    );
+  });
+
+  it('accepts an absolute same-origin http(s) URL', () => {
+    expect(
+      safeLegacyUrl({ url: 'https://admin.example.com/admin/x/', currentOrigin: ORIGIN }),
+    ).toBe('https://admin.example.com/admin/x/');
+  });
+
+  it('rejects a javascript: URL (anchor-click code execution)', () => {
+    expect(safeLegacyUrl({ url: "javascript:alert(1)", currentOrigin: ORIGIN })).toBeNull();
+  });
+
+  it('rejects data: and blob: schemes', () => {
+    expect(safeLegacyUrl({ url: 'data:text/html,<h1>x', currentOrigin: ORIGIN })).toBeNull();
+    expect(safeLegacyUrl({ url: 'blob:https://admin.example.com/abc', currentOrigin: ORIGIN })).toBeNull();
+  });
+
+  it('rejects an off-origin http(s) URL (phishing surface inside admin chrome)', () => {
+    expect(safeLegacyUrl({ url: 'https://attacker.example/', currentOrigin: ORIGIN })).toBeNull();
+    expect(safeLegacyUrl({ url: '//attacker.example/x', currentOrigin: ORIGIN })).toBeNull();
+  });
+
+  it('rejects an unparseable URL', () => {
+    expect(safeLegacyUrl({ url: 'http://[::bad', currentOrigin: ORIGIN })).toBeNull();
+  });
+});

frontend/apps/web/src/legacy-url.ts

@@ -0,0 +1,53 @@
+// Legacy-iframe URL validation (#665).
+//
+// The form-spec endpoint can return `{renderer: "legacy-iframe", legacy_url}`
+// to embed the legacy admin change/add page inside the SPA shell (#659). That
+// URL flows into both an `<iframe src>` and an `<a href target=_blank>`, so it
+// reaches two navigational sinks. The SPA *should* be able to trust the API,
+// but every other navigational sink in this codebase validates before using a
+// server-supplied URL (`action-redirect.ts` parses + origin/mount-checks the
+// action redirect; `views.py` percent-encodes `next`). This is the one
+// server-emitted URL that previously reached `src`/`href` unchecked — a
+// compromised, buggy, or request-influenced backend could emit a
+// `javascript:` URL (executes from the anchor on click) or an off-origin
+// `http://attacker/` URL (renders attacker content inside the authenticated
+// admin chrome — a high-fidelity phishing surface). We close that with the
+// same parse-and-validate discipline used elsewhere.
+//
+// The legacy admin lives on the SAME origin as the SPA (under its own admin
+// prefix, NOT the SPA mount), so the rule is: parse against the current
+// origin, require an `http:`/`https:` scheme, and require the parsed origin to
+// equal the current origin. Anything else (a non-http(s) scheme like
+// `javascript:`/`data:`/`blob:`, or a cross-origin target) is rejected and the
+// caller renders an inert error card instead of framing/linking it.
+
+export interface ValidateLegacyUrlArgs {
+  url: string;
+  /** Current page origin. Defaults to `window.location.origin`; the test
+   *  injects a known value (jsdom's origin is fixed). */
+  currentOrigin?: string;
+}
+
+/**
+ * Return a safe, same-origin http(s) URL string, or `null` when the URL is
+ * unparseable, uses a non-http(s) scheme, or points off-origin.
+ *
+ * Returning the *re-serialised* parsed URL (not the raw input) means the value
+ * handed to `src`/`href` is exactly what passed validation — no room for a
+ * parser-differential between the check and the sink.
+ */
+export function safeLegacyUrl(args: ValidateLegacyUrlArgs): string | null {
+  const origin = args.currentOrigin ?? window.location.origin;
+  let parsed: URL;
+  try {
+    parsed = new URL(args.url, origin);
+  } catch {
+    return null;
+  }
+  // Reject `javascript:` / `data:` / `blob:` / `mailto:` etc. outright — only
+  // real navigable web schemes are allowed in an iframe/anchor here.
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') return null;
+  // The legacy admin is same-origin; an off-origin target is never legitimate.
+  if (parsed.origin !== origin) return null;
+  return parsed.href;
+}

frontend/apps/web/src/pages/detail/ChangeForm.test.tsx

@@ -63,6 +63,31 @@ describe('ChangeForm (#659)', () => {
     const iframe = screen.getByTitle('Legacy admin form') as HTMLIFrameElement;
     expect(iframe).toBeInTheDocument();
     expect(iframe.src).toContain('/admin/auth/group/1/change/');
+    // #665: the iframe is sandboxed with an explicit allowlist (no
+    // allow-top-navigation / allow-popups / allow-modals).
+    expect(iframe.getAttribute('sandbox')).toBe('allow-forms allow-scripts allow-same-origin');
+  });
+
+  it('rejects a javascript: legacy_url and renders an inert error card (no iframe) (#665)', () => {
+    specState = {
+      data: { renderer: 'legacy-iframe', legacy_url: 'javascript:fetch("/admin/")' },
+      loading: false,
+      error: null,
+    };
+    renderChangeForm();
+    expect(screen.queryByTitle('Legacy admin form')).not.toBeInTheDocument();
+    expect(screen.getByText(/can’t be displayed/i)).toBeInTheDocument();
+  });
+
+  it('rejects an off-origin legacy_url and renders the error card (#665)', () => {
+    specState = {
+      data: { renderer: 'legacy-iframe', legacy_url: 'https://attacker.example/admin/' },
+      loading: false,
+      error: null,
+    };
+    renderChangeForm();
+    expect(screen.queryByTitle('Legacy admin form')).not.toBeInTheDocument();
+    expect(screen.getByText(/can’t be displayed/i)).toBeInTheDocument();
   });
 
   it('renders the form-spec fields (request-aware get_form / fieldsets) via EditForm', () => {

frontend/apps/web/src/pages/detail/LegacyIframe.tsx

@@ -12,12 +12,35 @@ import { ExternalLink } from 'lucide-react';
 
 import { Button, Card, t } from '@dar/ui';
 
+import { safeLegacyUrl } from '../../legacy-url';
+
 export interface LegacyIframeProps {
   url: string;
   onCancel: () => void;
 }
 
 export function LegacyIframe({ url, onCancel }: LegacyIframeProps) {
+  // Validate the server-supplied `legacy_url` before it reaches the iframe
+  // `src` / anchor `href` (#665): same-origin + http(s) only. A
+  // `javascript:` / `data:` URL or an off-origin target is rejected and we
+  // render an inert error card instead — never frame/link an unvalidated URL.
+  const safe = safeLegacyUrl({ url });
+
+  if (safe === null) {
+    return (
+      <Card>
+        <div className="space-y-3">
+          <p className="text-sm text-red-700">
+            {t('This form can’t be displayed: its address is invalid or points off-site.')}
+          </p>
+          <Button type="button" variant="ghost" onClick={onCancel}>
+            {t('Cancel')}
+          </Button>
+        </div>
+      </Card>
+    );
+  }
+
   return (
     <Card>
       <div className="space-y-3">
@@ -27,7 +50,7 @@ export function LegacyIframe({ url, onCancel }: LegacyIframeProps) {
           </p>
           <div className="flex shrink-0 items-center gap-2">
             <a
-              href={url}
+              href={safe}
               target="_blank"
               rel="noopener noreferrer"
               className="inline-flex items-center gap-1.5 rounded-md border border-gray-300 bg-white px-3 py-1.5 text-sm font-medium text-gray-700 hover:bg-gray-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-blue-500"
@@ -40,8 +63,14 @@ export function LegacyIframe({ url, onCancel }: LegacyIframeProps) {
           </div>
         </div>
         <iframe
-          src={url}
+          src={safe}
           title={t('Legacy admin form')}
+          // Defence-in-depth (#665): the legacy admin needs forms + scripts +
+          // same-origin cookies to function, but this explicit allowlist drops
+          // the unsafe-by-default capabilities — `allow-top-navigation`,
+          // `allow-popups`, `allow-modals` — so a framed page can't break out
+          // of the admin chrome even if `legacy_url` were ever subverted.
+          sandbox="allow-forms allow-scripts allow-same-origin"
           className="h-[70vh] w-full rounded border border-gray-200 bg-white"
         />
       </div>