Add allow-popups-to-escape-sandbox to render_iframe, and rationale

Asherah Connorrequested to merge
push-qwyztsqsrnso into master

What does this MR do and why?

Add allow-popups-to-escape-sandbox to render_iframe.js's IFRAME_SANDBOX_RESTRICTIONS, and a detailed rationale for each control we select.

This permits a YouTube embed to open a new window with the actual YouTube view page. See #282443 (comment 3256531201) (staff-only) for context.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Enable the allow_iframes_in_markdown feature flag on your GDK.
  2. Under Admin → Settings → General → Embedded content (http://gdk.test:3000/admin/application_settings/general#js-iframe-settings), check "Enable embedded content", add www.youtube.com to the domain allowlist (the www. is very important), and click "Save changes".
  3. Restart your GDK. The allowlist setting is heavily cached.
  4. Using the plain-text editor, embed a YouTube video in a comment or issue/MR description. For example: 
    ![](https://www.youtube.com/watch?v=3URtTIdnXIk)
    Or you can paste a YouTube embed code.
  5. The embed should work; you can click on the play button and watch the video.
  6. Try clicking on the title (per the above videos) to open it in a new window. It shouldn't work.
  7. Check out this branch, and reload the page.
  8. Now the embed should work and you should be able to click the title to open it in a new window.
  9. Nyonkmaspäevast!

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports