Skip to content

Draft: Fix webpack dev-server for sandboxed mermaid

Dheeraj Joshi requested to merge djadmin-fix-sandbox-mermaid-webpack-issues into master

What does this MR do and why?

Follow-up from !76470 (comment 800740152). Main MR - !74414 (merged).

Feature context

  • We added a new iframe to render mermaid diagrams, and the src for the iframe is /-/sandbox/mermaid.
  • The iframe uses sandbox attribute (without allow-same-origin) to prevent security issues originating from Mermaid library

    allow-same-origin: If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).

Problem

Any page rendering these mermaid diagrams would get a stream of webpack errors. It makes it a bit annoying to use browser console and potentially impact developer productivity.

  • Error: (ref screenshot section )

> Invalid Host/Origin header

> [WDS] Disconnected!

Code references

<%= webpack_bundle_tag("sandboxed_mermaid") %>
setAttributes(iframeEl, {
    src: getSandboxFrameSrc(),
    sandbox: 'allow-scripts',
    frameBorder: 0,
    scrolling: 'no',
    width: '100%',
  });

Potential Fix

Tried a fix by disabling host checking, but that's not ideal and can lead to security issues. Looking for ideas for properly fixing the issue, maybe

  1. Maybe we can disable HMR for this particular bundle?
  2. Maybe we can add null origin to the allowed list. Need to check with security implications though

Screenshots or screen recordings

before after (no errors)
image image

How to set up and validate locally

  1. Enable the feature flag

    Feature.enable(:sandboxed_mermaid)

  2. Create an issue / MR and generate mermaid diagrams

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dheeraj Joshi

Merge request reports