File tree Expand file tree Collapse file tree
.storybook/addons/codeEditorAddon Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -228,6 +228,14 @@ export const withCodeEditor = makeDecorator({
228228 const loadEditorContent = ( ) => {
229229 const storyElement = document . createElement ( 'iframe' ) ;
230230
231+ // Security: sandbox the iframe to restrict capabilities.
232+ // allow-same-origin is required for ES module loading; exfiltration is
233+ // blocked by the CSP meta tag injected below.
234+ storyElement . setAttribute (
235+ 'sandbox' ,
236+ 'allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox allow-forms'
237+ ) ;
238+
231239 storyElement . addEventListener (
232240 'load' ,
233241 ( ) => {
@@ -242,6 +250,18 @@ export const withCodeEditor = makeDecorator({
242250 const docContent = `
243251 <html>
244252 <head>
253+ <meta http-equiv="Content-Security-Policy"
254+ content="default-src 'self';
255+ script-src 'self' 'unsafe-inline';
256+ style-src 'self' 'unsafe-inline';
257+ connect-src https://graph.microsoft.com https://graph.microsoft.us https://dod-graph.microsoft.us https://graph.microsoft.de https://microsoftgraph.chinacloudapi.cn https://canary.graph.microsoft.com https://login.microsoftonline.com https://cdn.graph.office.net 'self';
258+ img-src 'self' data: blob: https://*.microsoft.com https://*.microsoftonline.com https://*.sharepoint.com https://*.office.com https://*.office365.com https://*.windows.net;
259+ font-src 'self' https://static2.sharepointonline.com;
260+ frame-src https://login.microsoftonline.com 'self';
261+ form-action 'none';
262+ object-src 'none';
263+ base-uri 'self';"
264+ />
245265 <script type="module" src="${ mgtScriptName } "></script>
246266 <script type="module">
247267 import { registerMgtComponents } from "${ mgtScriptName } ";
You can’t perform that action at this time.
0 commit comments