Add optional browser storage (localStorage) support for HTML attachments

Author: kernchen-brc

src/Controller/AttachmentFileController.php

@@ -66,11 +66,16 @@ public function htmlSandbox(Attachment $attachment, AttachmentsSettings $attachm
             'attachment' => $attachment,
             'content' => $attachmentContent,
             'show_warning' => $attachmentsSettings->showHTMLAttachmentWarning,
+            'allow_storage' => $attachmentsSettings->allowHTMLAttachmentStorage,
         ]);
 
         //Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others.
         //Also set the sandbox CSP directive with only "allow-script" to run basic scripts
-        $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline' *; img-src data: *; sandbox allow-scripts allow-downloads allow-modals;");
+        $sandboxDirectives = 'allow-scripts allow-downloads allow-modals';
+        if ($attachmentsSettings->allowHTMLAttachmentStorage) {
+            $sandboxDirectives .= ' allow-same-origin';
+        }
+        $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline' *; img-src data: *; sandbox {$sandboxDirectives};");
 
         //Forbid to embed the attachment render page in an iframe to prevent clickjacking, as it is not used anywhere else for now
         $response->headers->set('X-Frame-Options', 'DENY');

src/Services/InfoProviderSystem/Providers/LCSCProvider.php

@@ -72,4 +72,11 @@ class AttachmentsSettings
         envVar: "bool:ATTACHMENT_SHOW_HTML_WARNING", envVarMode: EnvVarMode::OVERWRITE
     )]
     public bool $showHTMLAttachmentWarning = true;
+
+    #[SettingsParameter(
+        label: new TM("settings.system.attachments.allowHTMLAttachmentStorage"),
+        description: new TM("settings.system.attachments.allowHTMLAttachmentStorage.help"),
+        envVar: "bool:ATTACHMENT_ALLOW_HTML_STORAGE", envVarMode: EnvVarMode::OVERWRITE
+    )]
+    public bool $allowHTMLAttachmentStorage = false;
 }

src/Settings/SystemSettings/AttachmentsSettings.php

@@ -67,7 +67,7 @@
 
         <iframe  referrerpolicy="no-referrer" class="content-frame"
                  {# When changing this sandbox, also change the sandbox CSP in the controller #}
-                 sandbox="allow-scripts allow-downloads allow-modals"
+                 sandbox="allow-scripts allow-downloads allow-modals{% if allow_storage %} allow-same-origin{% endif %}"
                  srcdoc="{{ content|e('html_attr') }}"
         ></iframe>
 

templates/attachments/html_sandbox.html.twig

@@ -13013,6 +13013,18 @@ Buerklin-API Authentication server:
         <target>When enabled, a warning banner is shown when viewing user uploaded HTML attachments in the sandbox, reminding the user that the content is untrusted.</target>
       </segment>
     </unit>
+    <unit id="Cx4Pqr9" name="settings.system.attachments.allowHTMLAttachmentStorage">
+      <segment state="translated">
+        <source>settings.system.attachments.allowHTMLAttachmentStorage</source>
+        <target>Allow HTML attachments to use browser storage (localStorage)</target>
+      </segment>
+    </unit>
+    <unit id="Dy5Rst0" name="settings.system.attachments.allowHTMLAttachmentStorage.help">
+      <segment state="translated">
+        <source>settings.system.attachments.allowHTMLAttachmentStorage.help</source>
+        <target>⚠️ When enabled, scripts inside user uploaded HTML attachments can read and write to the browser&apos;s localStorage. This allows data to persist across page reloads, but grants the attachment access to Part-DB&apos;s browser origin. Only enable this if you fully trust all users who can upload files.</target>
+      </segment>
+    </unit>
     <unit id="bRcdnJK" name="attachment.sandbox.back_to_partdb">
       <segment state="translated">
         <source>attachment.sandbox.back_to_partdb</source>