Remove sandbox allow-same-origin for core/html blocks#77212
Merged
alecgeatches merged 9 commits intotrunkfrom Apr 14, 2026
Merged
Remove sandbox allow-same-origin for core/html blocks#77212alecgeatches merged 9 commits intotrunkfrom
allow-same-origin for core/html blocks#77212alecgeatches merged 9 commits intotrunkfrom
Conversation
|
Warning: Type of PR label mismatch To merge this PR, it requires exactly 1 label indicating the type of PR. Other labels are optional and not being checked here.
Read more about Type labels in Gutenberg. Don't worry if you don't have the required permissions to add labels; the PR reviewer should be able to help with the task. |
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
|
Size Change: +278 B (0%) Total Size: 7.74 MB 📦 View Changed
ℹ️ View Unchanged
|
|
Flaky tests detected in 98d2802. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/24410572956
|
Member
|
Why did we have to stop using the The original
|
Contributor
Author
|
@jsnajdr I appreciate the review! I pushed up a small refactor to split the logic into
I tried testing both of these by moving around an embed ( sandbox-testing.movIn both cases, components sometimes remount when moved, but they properly load after movement and don't go blank or anything. Let me know if I missed anything important in your feedback. Thank you for your time, and for looking into this! |
Contributor
Author
|
I was considering gating this on RTC being enabled, but I think this might be a good default. It honestly seems a bit off to me that the current
From my investigation, it seems like the only way to fully overcome these limitations but still allow embeds to work is to host sandboxed content on another domain, e.g. Since we can't assume any subdomain setup for random WordPress hosts, we can't rely on this. However, our overall trust in "Sandbox"ed code is very high, and I think this change of restricting |
maxschmeling
approved these changes
Apr 13, 2026
Member
|
Thanks @alecgeatches for updating the PR. The approach where
I agree that we don't need the But I suspect that the This https://html.spec.whatwg.org/#the-iframe-element:html-element-post-connection-steps The
I'm not sure, I just don't want to accidentally revert some past bugfix. The embeds (like YouTube or Instagram) are often weird and sensitive about details. The rewrite can potentially destroy some markup that was added dynamically by some script.
The |
jsnajdr
approved these changes
Apr 14, 2026
Member
jsnajdr
left a comment
There was a problem hiding this comment.
I think the checkMessageForResize listener for the isolated sandbox needs fixing. Otherwise this PR is ready to 🚢
Contributor
Author
You are correct! This was my experience in testing, and why embeds still use the |
Contributor
Author
|
@jsnajdr Thank you for the feedback! I wasn't able to reproduce a scenario where an iframe lost resizing messages/ability by moving the block or switching in and out of code view, but it seems theoretically possible so I added some defensive code in 98d2802 to insure the resize listener is reattached. Will merge when tests pass! |
|
There was a conflict while trying to cherry-pick the commit to the wp/7.0 branch. Please resolve the conflict manually and create a PR to the wp/7.0 branch. PRs to wp/7.0 are similar to PRs to trunk, but you should base your PR on the wp/7.0 branch instead of trunk. |
Member
I can reproduce such a scenario on a toy app. Generate a little React app that does the following:
Then run the app and click inside both iframes. Both click events will be logged. Now swap the order. One of the iframes will be moved and it will lose the listener. Click inside both iframes and see how only one click event is logged now. Similar
Thanks, that looks good 👍 This is also how the |
|
There was a conflict while trying to cherry-pick the commit to the wp/7.0 branch. Please resolve the conflict manually and create a PR to the wp/7.0 branch. PRs to wp/7.0 are similar to PRs to trunk, but you should base your PR on the wp/7.0 branch instead of trunk. |
Contributor
Author
|
See #77699 for cherry-pick fix. |
peterwilsoncc
pushed a commit
that referenced
this pull request
Apr 28, 2026
…to `wp/7.0`) (#77699) * Remove sandbox "allow-same-origin" attribute, use srcDoc instead * Add opt-in allowSameOrigin parameter, use it to fix embeds while keeping core/html locked down * Fix formatting * Use contentDocument.write() when allowSameOrigin is true to avoid referer errors * Refactor new same-origin disallowed sandbox into subcomponent for easier reading * Add CHANGELOG entry * Reattach resize listener on iframe load event Co-authored-by: alecgeatches <alecgeatches@git.wordpress.org> Co-authored-by: maxschmeling <maxschmeling@git.wordpress.org> Co-authored-by: jsnajdr <jsnajdr@git.wordpress.org>
Contributor
|
This PR was backported to the |
pento
pushed a commit
to WordPress/wordpress-develop
that referenced
this pull request
May 8, 2026
This updates the pinned hash from the `gutenberg` from `e2970ba736edb99e08fb369d4fb0c378189468ee ` to `c15cef1d6b07f666df28dac0383bafb0edfe0914`. The following changes are included: - RTC: Predefined retry schedules for disconnect dialog, make more lenient (WordPress/gutenberg#76966) - Block Editor: Prevent Enter key from inserting paragraphs in contentOnly sections (WordPress/gutenberg#76989) - Cover block: fix embed video background Error 153 in editor (WordPress/gutenberg#76904) - Restore original template registration tests alongside activation variants (WordPress/gutenberg#77068) - Avoid stale values in core/cover block for RTC compatibility (WordPress/gutenberg#76916) - Bump oras-project/setup-oras (WordPress/gutenberg#77096) (WordPress/gutenberg#77110) - RTC: Change SyncConnectionModal to isSyncConnectionErrorHandled filter and drop IS_GUTENBERG_PLUGIN check (WordPress/gutenberg#76853) - contentOnly template lock: Fix block insertion and removal rules (WordPress/gutenberg#77119) - Global Styles Revisions: Fix footer overflow (WordPress/gutenberg#77103) - Revision: Fix 'Show changes' button reset state (WordPress/gutenberg#77122) - Link picker: Decode HTML entities in link preview title (WordPress/gutenberg#77170) - Connectors: don't clobber third-party custom render in registerDefaultConnectors (WordPress/gutenberg#77116) - Connectors: Replace speak() with notice store for state changes (WordPress/gutenberg#77174) - Core Data: Fix 'useEntityProp' for raw attributes (WordPress/gutenberg#77120) - Fix PatternsActions prop name from postType to type (WordPress/gutenberg#77251) - Fix: restore editor canvas padding in classic themes (WordPress/gutenberg#76864) - RTC: Add filterable flag for meta box RTC compatibility (WordPress/gutenberg#76939) - Fix failing 'WP_HTTP_Polling_Sync_Server' unit test (WordPress/gutenberg#77025) (WordPress/gutenberg#77325) - Edit Post: Fix warning in 'useMetaBoxInitialization' hook (WordPress/gutenberg#77311) - Update the page slug we link to for the AI plugin after the plugin has been installed and activated (WordPress/gutenberg#77336) - Test: Connectors Point to the righ page. (WordPress/gutenberg#77272) - Post Editor: Store metaboxes RTC-compatible flag on location entries (WordPress/gutenberg#77361) - Core Abilities: Export initialization promise as `ready` (WordPress/gutenberg#77254) - Block Editor: Strip per-block custom CSS on save for users without edit_css (WordPress/gutenberg#76650) - Add heading level 1 for the fonts page (WordPress/gutenberg#77482) - Connectors: Treat network-active plugins as active in plugin status check (WordPress/gutenberg#77661) - RTC: Fix disconnect dialog due to uneditable entity (WordPress/gutenberg#77242) - RTC: Fix "Connection Lost" dialog when too many entities are loaded (WordPress/gutenberg#77631) - RTC: Fix "Edit as HTML" content reset during collaboration (WordPress/gutenberg#77043) - RTC: Add optional `shouldSync` function to entity sync config (WordPress/gutenberg#76947) - RTC: Fixed orphaned meta causing dirty editor state (WordPress/gutenberg#77529) - Ensure "Retry" button is stable during retries (WordPress/gutenberg#77234) - Patterns: add confirmation dialog before disconnecting/detaching (WordPress/gutenberg#75713) - Template parts: make 'Detach' context menu item consistent across patterns and template parts (WordPress/gutenberg#77581) - Remove sandbox `allow-same-origin` for core/html blocks (Merge WordPress/gutenberg#77212 to `wp/7.0`) (WordPress/gutenberg#77699) - Added Context for Next/Prev Enlarge Image (WordPress/gutenberg#76967) - Backport: Writing Flow: fix arrow keys skipping paragraph containing link (WordPress/gutenberg#77478) - Revisions: Improve screen reader accessibility for diff markers region and slider (WordPress/gutenberg#77660) - Connectors: Add role="list" wrapper to connector cards for valid ARIA structure (WordPress/gutenberg#77689) - Command Palette: Fix macOs label for sites unable to determine UA via PHP (WordPress/gutenberg#77638) - RTC: Fix inline inserter reset on update sync (WordPress/gutenberg#76980) (WordPress/gutenberg#77706) - Connectors: keep focus on action Button during install (WordPress/gutenberg#77544) - Added Translator Context for Reply (WordPress/gutenberg#77891) - Editor: Improve revisions diff pairing performance (WordPress/gutenberg#77126) - Core Data: Treat single-item responses specially (WordPress/gutenberg#76318) - Site editor: preserve non-global styles in pattern previews (WordPress/gutenberg#77957) - RTC: Fix divergence when two offline users reconnect (WordPress/gutenberg#77980) - RTC: Fix compaction unit test (WordPress/gutenberg#77986) - Connectors: Stop e2e capability restriction from leaking across specs (WordPress/gutenberg#77857) - Connectors: Clarify AI plugin callout copy (WordPress/gutenberg#78043) - Fix: Only auto register settings if the plugin the connector references is installed and active. (WordPress/gutenberg#77273) - Connectors: Add is_active callback support to plugin registration (WordPress/gutenberg#77897) - RTC: Fix race condition on room creation which can cause a split update log (WordPress/gutenberg#77675) - RTC: Fix find_canonical_storage_post_id() always returning null (WordPress/gutenberg#78053) - i18n: add context to scale (WordPress/gutenberg#76917) - Revisions: Simplify fetching (WordPress/gutenberg#77086) - e2e: Add e2e tests for template and template part revisions (WordPress/gutenberg#76923) - Editor: Paginate revisions slider by 100 per page (WordPress/gutenberg#77200) (WordPress/gutenberg#78070) - Revisions: Add diagonal stripe patterns to diff markers to avoid color-only distinction (WordPress/gutenberg#77904) - Revision: Fix failing e2e test (WordPress/gutenberg#78079) - Real-time collaboration: Bundle @wordpress/sync instead of exposing as wp.sync (WordPress/gutenberg#78085) A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/e2970ba736edb99e08fb369d4fb0c378189468ee…c15cef1d6b07f666df28dac0383bafb0edfe0914. Log created with: git log --reverse --format="- %s" e2970ba736edb99e08fb369d4fb0c378189468ee..c15cef1d6b07f666df28dac0383bafb0edfe0914 | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy See #64595. git-svn-id: https://develop.svn.wordpress.org/trunk@62333 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith
pushed a commit
to markjaquith/WordPress
that referenced
this pull request
May 8, 2026
This updates the pinned hash from the `gutenberg` from `e2970ba736edb99e08fb369d4fb0c378189468ee ` to `c15cef1d6b07f666df28dac0383bafb0edfe0914`. The following changes are included: - RTC: Predefined retry schedules for disconnect dialog, make more lenient (WordPress/gutenberg#76966) - Block Editor: Prevent Enter key from inserting paragraphs in contentOnly sections (WordPress/gutenberg#76989) - Cover block: fix embed video background Error 153 in editor (WordPress/gutenberg#76904) - Restore original template registration tests alongside activation variants (WordPress/gutenberg#77068) - Avoid stale values in core/cover block for RTC compatibility (WordPress/gutenberg#76916) - Bump oras-project/setup-oras (WordPress/gutenberg#77096) (WordPress/gutenberg#77110) - RTC: Change SyncConnectionModal to isSyncConnectionErrorHandled filter and drop IS_GUTENBERG_PLUGIN check (WordPress/gutenberg#76853) - contentOnly template lock: Fix block insertion and removal rules (WordPress/gutenberg#77119) - Global Styles Revisions: Fix footer overflow (WordPress/gutenberg#77103) - Revision: Fix 'Show changes' button reset state (WordPress/gutenberg#77122) - Link picker: Decode HTML entities in link preview title (WordPress/gutenberg#77170) - Connectors: don't clobber third-party custom render in registerDefaultConnectors (WordPress/gutenberg#77116) - Connectors: Replace speak() with notice store for state changes (WordPress/gutenberg#77174) - Core Data: Fix 'useEntityProp' for raw attributes (WordPress/gutenberg#77120) - Fix PatternsActions prop name from postType to type (WordPress/gutenberg#77251) - Fix: restore editor canvas padding in classic themes (WordPress/gutenberg#76864) - RTC: Add filterable flag for meta box RTC compatibility (WordPress/gutenberg#76939) - Fix failing 'WP_HTTP_Polling_Sync_Server' unit test (WordPress/gutenberg#77025) (WordPress/gutenberg#77325) - Edit Post: Fix warning in 'useMetaBoxInitialization' hook (WordPress/gutenberg#77311) - Update the page slug we link to for the AI plugin after the plugin has been installed and activated (WordPress/gutenberg#77336) - Test: Connectors Point to the righ page. (WordPress/gutenberg#77272) - Post Editor: Store metaboxes RTC-compatible flag on location entries (WordPress/gutenberg#77361) - Core Abilities: Export initialization promise as `ready` (WordPress/gutenberg#77254) - Block Editor: Strip per-block custom CSS on save for users without edit_css (WordPress/gutenberg#76650) - Add heading level 1 for the fonts page (WordPress/gutenberg#77482) - Connectors: Treat network-active plugins as active in plugin status check (WordPress/gutenberg#77661) - RTC: Fix disconnect dialog due to uneditable entity (WordPress/gutenberg#77242) - RTC: Fix "Connection Lost" dialog when too many entities are loaded (WordPress/gutenberg#77631) - RTC: Fix "Edit as HTML" content reset during collaboration (WordPress/gutenberg#77043) - RTC: Add optional `shouldSync` function to entity sync config (WordPress/gutenberg#76947) - RTC: Fixed orphaned meta causing dirty editor state (WordPress/gutenberg#77529) - Ensure "Retry" button is stable during retries (WordPress/gutenberg#77234) - Patterns: add confirmation dialog before disconnecting/detaching (WordPress/gutenberg#75713) - Template parts: make 'Detach' context menu item consistent across patterns and template parts (WordPress/gutenberg#77581) - Remove sandbox `allow-same-origin` for core/html blocks (Merge WordPress/gutenberg#77212 to `wp/7.0`) (WordPress/gutenberg#77699) - Added Context for Next/Prev Enlarge Image (WordPress/gutenberg#76967) - Backport: Writing Flow: fix arrow keys skipping paragraph containing link (WordPress/gutenberg#77478) - Revisions: Improve screen reader accessibility for diff markers region and slider (WordPress/gutenberg#77660) - Connectors: Add role="list" wrapper to connector cards for valid ARIA structure (WordPress/gutenberg#77689) - Command Palette: Fix macOs label for sites unable to determine UA via PHP (WordPress/gutenberg#77638) - RTC: Fix inline inserter reset on update sync (WordPress/gutenberg#76980) (WordPress/gutenberg#77706) - Connectors: keep focus on action Button during install (WordPress/gutenberg#77544) - Added Translator Context for Reply (WordPress/gutenberg#77891) - Editor: Improve revisions diff pairing performance (WordPress/gutenberg#77126) - Core Data: Treat single-item responses specially (WordPress/gutenberg#76318) - Site editor: preserve non-global styles in pattern previews (WordPress/gutenberg#77957) - RTC: Fix divergence when two offline users reconnect (WordPress/gutenberg#77980) - RTC: Fix compaction unit test (WordPress/gutenberg#77986) - Connectors: Stop e2e capability restriction from leaking across specs (WordPress/gutenberg#77857) - Connectors: Clarify AI plugin callout copy (WordPress/gutenberg#78043) - Fix: Only auto register settings if the plugin the connector references is installed and active. (WordPress/gutenberg#77273) - Connectors: Add is_active callback support to plugin registration (WordPress/gutenberg#77897) - RTC: Fix race condition on room creation which can cause a split update log (WordPress/gutenberg#77675) - RTC: Fix find_canonical_storage_post_id() always returning null (WordPress/gutenberg#78053) - i18n: add context to scale (WordPress/gutenberg#76917) - Revisions: Simplify fetching (WordPress/gutenberg#77086) - e2e: Add e2e tests for template and template part revisions (WordPress/gutenberg#76923) - Editor: Paginate revisions slider by 100 per page (WordPress/gutenberg#77200) (WordPress/gutenberg#78070) - Revisions: Add diagonal stripe patterns to diff markers to avoid color-only distinction (WordPress/gutenberg#77904) - Revision: Fix failing e2e test (WordPress/gutenberg#78079) - Real-time collaboration: Bundle @wordpress/sync instead of exposing as wp.sync (WordPress/gutenberg#78085) A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/e2970ba736edb99e08fb369d4fb0c378189468ee…c15cef1d6b07f666df28dac0383bafb0edfe0914. Log created with: git log --reverse --format="- %s" e2970ba736edb99e08fb369d4fb0c378189468ee..c15cef1d6b07f666df28dac0383bafb0edfe0914 | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy See #64595. Built from https://develop.svn.wordpress.org/trunk@62333 git-svn-id: http://core.svn.wordpress.org/trunk@61614 1a063a9b-81f0-0310-95a4-ce76da25c4cd
pento
pushed a commit
to WordPress/wordpress-develop
that referenced
this pull request
May 8, 2026
This updates the pinned hash from the `gutenberg` from `e2970ba736edb99e08fb369d4fb0c378189468ee ` to `c15cef1d6b07f666df28dac0383bafb0edfe0914`. The following changes are included: - RTC: Predefined retry schedules for disconnect dialog, make more lenient (WordPress/gutenberg#76966) - Block Editor: Prevent Enter key from inserting paragraphs in contentOnly sections (WordPress/gutenberg#76989) - Cover block: fix embed video background Error 153 in editor (WordPress/gutenberg#76904) - Restore original template registration tests alongside activation variants (WordPress/gutenberg#77068) - Avoid stale values in core/cover block for RTC compatibility (WordPress/gutenberg#76916) - Bump oras-project/setup-oras (WordPress/gutenberg#77096) (WordPress/gutenberg#77110) - RTC: Change SyncConnectionModal to isSyncConnectionErrorHandled filter and drop IS_GUTENBERG_PLUGIN check (WordPress/gutenberg#76853) - contentOnly template lock: Fix block insertion and removal rules (WordPress/gutenberg#77119) - Global Styles Revisions: Fix footer overflow (WordPress/gutenberg#77103) - Revision: Fix 'Show changes' button reset state (WordPress/gutenberg#77122) - Link picker: Decode HTML entities in link preview title (WordPress/gutenberg#77170) - Connectors: don't clobber third-party custom render in registerDefaultConnectors (WordPress/gutenberg#77116) - Connectors: Replace speak() with notice store for state changes (WordPress/gutenberg#77174) - Core Data: Fix 'useEntityProp' for raw attributes (WordPress/gutenberg#77120) - Fix PatternsActions prop name from postType to type (WordPress/gutenberg#77251) - Fix: restore editor canvas padding in classic themes (WordPress/gutenberg#76864) - RTC: Add filterable flag for meta box RTC compatibility (WordPress/gutenberg#76939) - Fix failing 'WP_HTTP_Polling_Sync_Server' unit test (WordPress/gutenberg#77025) (WordPress/gutenberg#77325) - Edit Post: Fix warning in 'useMetaBoxInitialization' hook (WordPress/gutenberg#77311) - Update the page slug we link to for the AI plugin after the plugin has been installed and activated (WordPress/gutenberg#77336) - Test: Connectors Point to the righ page. (WordPress/gutenberg#77272) - Post Editor: Store metaboxes RTC-compatible flag on location entries (WordPress/gutenberg#77361) - Core Abilities: Export initialization promise as `ready` (WordPress/gutenberg#77254) - Block Editor: Strip per-block custom CSS on save for users without edit_css (WordPress/gutenberg#76650) - Add heading level 1 for the fonts page (WordPress/gutenberg#77482) - Connectors: Treat network-active plugins as active in plugin status check (WordPress/gutenberg#77661) - RTC: Fix disconnect dialog due to uneditable entity (WordPress/gutenberg#77242) - RTC: Fix "Connection Lost" dialog when too many entities are loaded (WordPress/gutenberg#77631) - RTC: Fix "Edit as HTML" content reset during collaboration (WordPress/gutenberg#77043) - RTC: Add optional `shouldSync` function to entity sync config (WordPress/gutenberg#76947) - RTC: Fixed orphaned meta causing dirty editor state (WordPress/gutenberg#77529) - Ensure "Retry" button is stable during retries (WordPress/gutenberg#77234) - Patterns: add confirmation dialog before disconnecting/detaching (WordPress/gutenberg#75713) - Template parts: make 'Detach' context menu item consistent across patterns and template parts (WordPress/gutenberg#77581) - Remove sandbox `allow-same-origin` for core/html blocks (Merge WordPress/gutenberg#77212 to `wp/7.0`) (WordPress/gutenberg#77699) - Added Context for Next/Prev Enlarge Image (WordPress/gutenberg#76967) - Backport: Writing Flow: fix arrow keys skipping paragraph containing link (WordPress/gutenberg#77478) - Revisions: Improve screen reader accessibility for diff markers region and slider (WordPress/gutenberg#77660) - Connectors: Add role="list" wrapper to connector cards for valid ARIA structure (WordPress/gutenberg#77689) - Command Palette: Fix macOs label for sites unable to determine UA via PHP (WordPress/gutenberg#77638) - RTC: Fix inline inserter reset on update sync (WordPress/gutenberg#76980) (WordPress/gutenberg#77706) - Connectors: keep focus on action Button during install (WordPress/gutenberg#77544) - Added Translator Context for Reply (WordPress/gutenberg#77891) - Editor: Improve revisions diff pairing performance (WordPress/gutenberg#77126) - Core Data: Treat single-item responses specially (WordPress/gutenberg#76318) - Site editor: preserve non-global styles in pattern previews (WordPress/gutenberg#77957) - RTC: Fix divergence when two offline users reconnect (WordPress/gutenberg#77980) - RTC: Fix compaction unit test (WordPress/gutenberg#77986) - Connectors: Stop e2e capability restriction from leaking across specs (WordPress/gutenberg#77857) - Connectors: Clarify AI plugin callout copy (WordPress/gutenberg#78043) - Fix: Only auto register settings if the plugin the connector references is installed and active. (WordPress/gutenberg#77273) - Connectors: Add is_active callback support to plugin registration (WordPress/gutenberg#77897) - RTC: Fix race condition on room creation which can cause a split update log (WordPress/gutenberg#77675) - RTC: Fix find_canonical_storage_post_id() always returning null (WordPress/gutenberg#78053) - i18n: add context to scale (WordPress/gutenberg#76917) - Revisions: Simplify fetching (WordPress/gutenberg#77086) - e2e: Add e2e tests for template and template part revisions (WordPress/gutenberg#76923) - Editor: Paginate revisions slider by 100 per page (WordPress/gutenberg#77200) (WordPress/gutenberg#78070) - Revisions: Add diagonal stripe patterns to diff markers to avoid color-only distinction (WordPress/gutenberg#77904) - Revision: Fix failing e2e test (WordPress/gutenberg#78079) - Real-time collaboration: Bundle @wordpress/sync instead of exposing as wp.sync (WordPress/gutenberg#78085) A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/e2970ba736edb99e08fb369d4fb0c378189468ee…c15cef1d6b07f666df28dac0383bafb0edfe0914. Log created with: git log --reverse --format="- %s" e2970ba736edb99e08fb369d4fb0c378189468ee..c15cef1d6b07f666df28dac0383bafb0edfe0914 | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy Reviewed by desrosj. Merges [62333] to the 7.0 branch. Props ellatrix, desrosj. See #64595. git-svn-id: https://develop.svn.wordpress.org/branches/7.0@62335 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith
pushed a commit
to markjaquith/WordPress
that referenced
this pull request
May 8, 2026
This updates the pinned hash from the `gutenberg` from `e2970ba736edb99e08fb369d4fb0c378189468ee ` to `c15cef1d6b07f666df28dac0383bafb0edfe0914`. The following changes are included: - RTC: Predefined retry schedules for disconnect dialog, make more lenient (WordPress/gutenberg#76966) - Block Editor: Prevent Enter key from inserting paragraphs in contentOnly sections (WordPress/gutenberg#76989) - Cover block: fix embed video background Error 153 in editor (WordPress/gutenberg#76904) - Restore original template registration tests alongside activation variants (WordPress/gutenberg#77068) - Avoid stale values in core/cover block for RTC compatibility (WordPress/gutenberg#76916) - Bump oras-project/setup-oras (WordPress/gutenberg#77096) (WordPress/gutenberg#77110) - RTC: Change SyncConnectionModal to isSyncConnectionErrorHandled filter and drop IS_GUTENBERG_PLUGIN check (WordPress/gutenberg#76853) - contentOnly template lock: Fix block insertion and removal rules (WordPress/gutenberg#77119) - Global Styles Revisions: Fix footer overflow (WordPress/gutenberg#77103) - Revision: Fix 'Show changes' button reset state (WordPress/gutenberg#77122) - Link picker: Decode HTML entities in link preview title (WordPress/gutenberg#77170) - Connectors: don't clobber third-party custom render in registerDefaultConnectors (WordPress/gutenberg#77116) - Connectors: Replace speak() with notice store for state changes (WordPress/gutenberg#77174) - Core Data: Fix 'useEntityProp' for raw attributes (WordPress/gutenberg#77120) - Fix PatternsActions prop name from postType to type (WordPress/gutenberg#77251) - Fix: restore editor canvas padding in classic themes (WordPress/gutenberg#76864) - RTC: Add filterable flag for meta box RTC compatibility (WordPress/gutenberg#76939) - Fix failing 'WP_HTTP_Polling_Sync_Server' unit test (WordPress/gutenberg#77025) (WordPress/gutenberg#77325) - Edit Post: Fix warning in 'useMetaBoxInitialization' hook (WordPress/gutenberg#77311) - Update the page slug we link to for the AI plugin after the plugin has been installed and activated (WordPress/gutenberg#77336) - Test: Connectors Point to the righ page. (WordPress/gutenberg#77272) - Post Editor: Store metaboxes RTC-compatible flag on location entries (WordPress/gutenberg#77361) - Core Abilities: Export initialization promise as `ready` (WordPress/gutenberg#77254) - Block Editor: Strip per-block custom CSS on save for users without edit_css (WordPress/gutenberg#76650) - Add heading level 1 for the fonts page (WordPress/gutenberg#77482) - Connectors: Treat network-active plugins as active in plugin status check (WordPress/gutenberg#77661) - RTC: Fix disconnect dialog due to uneditable entity (WordPress/gutenberg#77242) - RTC: Fix "Connection Lost" dialog when too many entities are loaded (WordPress/gutenberg#77631) - RTC: Fix "Edit as HTML" content reset during collaboration (WordPress/gutenberg#77043) - RTC: Add optional `shouldSync` function to entity sync config (WordPress/gutenberg#76947) - RTC: Fixed orphaned meta causing dirty editor state (WordPress/gutenberg#77529) - Ensure "Retry" button is stable during retries (WordPress/gutenberg#77234) - Patterns: add confirmation dialog before disconnecting/detaching (WordPress/gutenberg#75713) - Template parts: make 'Detach' context menu item consistent across patterns and template parts (WordPress/gutenberg#77581) - Remove sandbox `allow-same-origin` for core/html blocks (Merge WordPress/gutenberg#77212 to `wp/7.0`) (WordPress/gutenberg#77699) - Added Context for Next/Prev Enlarge Image (WordPress/gutenberg#76967) - Backport: Writing Flow: fix arrow keys skipping paragraph containing link (WordPress/gutenberg#77478) - Revisions: Improve screen reader accessibility for diff markers region and slider (WordPress/gutenberg#77660) - Connectors: Add role="list" wrapper to connector cards for valid ARIA structure (WordPress/gutenberg#77689) - Command Palette: Fix macOs label for sites unable to determine UA via PHP (WordPress/gutenberg#77638) - RTC: Fix inline inserter reset on update sync (WordPress/gutenberg#76980) (WordPress/gutenberg#77706) - Connectors: keep focus on action Button during install (WordPress/gutenberg#77544) - Added Translator Context for Reply (WordPress/gutenberg#77891) - Editor: Improve revisions diff pairing performance (WordPress/gutenberg#77126) - Core Data: Treat single-item responses specially (WordPress/gutenberg#76318) - Site editor: preserve non-global styles in pattern previews (WordPress/gutenberg#77957) - RTC: Fix divergence when two offline users reconnect (WordPress/gutenberg#77980) - RTC: Fix compaction unit test (WordPress/gutenberg#77986) - Connectors: Stop e2e capability restriction from leaking across specs (WordPress/gutenberg#77857) - Connectors: Clarify AI plugin callout copy (WordPress/gutenberg#78043) - Fix: Only auto register settings if the plugin the connector references is installed and active. (WordPress/gutenberg#77273) - Connectors: Add is_active callback support to plugin registration (WordPress/gutenberg#77897) - RTC: Fix race condition on room creation which can cause a split update log (WordPress/gutenberg#77675) - RTC: Fix find_canonical_storage_post_id() always returning null (WordPress/gutenberg#78053) - i18n: add context to scale (WordPress/gutenberg#76917) - Revisions: Simplify fetching (WordPress/gutenberg#77086) - e2e: Add e2e tests for template and template part revisions (WordPress/gutenberg#76923) - Editor: Paginate revisions slider by 100 per page (WordPress/gutenberg#77200) (WordPress/gutenberg#78070) - Revisions: Add diagonal stripe patterns to diff markers to avoid color-only distinction (WordPress/gutenberg#77904) - Revision: Fix failing e2e test (WordPress/gutenberg#78079) - Real-time collaboration: Bundle @wordpress/sync instead of exposing as wp.sync (WordPress/gutenberg#78085) A full list of changes can be found on GitHub: https://github.com/WordPress/gutenberg/compare/e2970ba736edb99e08fb369d4fb0c378189468ee…c15cef1d6b07f666df28dac0383bafb0edfe0914. Log created with: git log --reverse --format="- %s" e2970ba736edb99e08fb369d4fb0c378189468ee..c15cef1d6b07f666df28dac0383bafb0edfe0914 | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy Reviewed by desrosj. Merges [62333] to the 7.0 branch. Props ellatrix, desrosj. See #64595. Built from https://develop.svn.wordpress.org/branches/7.0@62335 git-svn-id: http://core.svn.wordpress.org/branches/7.0@61616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
This removes the
allow-same-originsandbox attribute from theSandBoxcomponent, preventing scripts inside the sandboxed iframe from accessing the WordPress page's cookies and DOM. Callers that need same-origin access for nested embeds (like oEmbed previews) can opt in via a newallowSameOriginprop.Why?
The
SandBoxcomponent currently usessandbox="allow-scripts allow-same-origin allow-presentation"on its iframe. The combination ofallow-scriptsandallow-same-originmeans scripts running inside the iframe have full access to the parent page's origin, including cookies and the ability to make authenticated requests. For the Custom HTML block, whose content is directly user-controlled, this allows injected scripts to act as the logged-in user.This is not recommended:
How?
A new
allowSameOriginboolean prop (defaultfalse) controls the iframe's isolation level. TheSandBoxwrapper delegates to one of two internal components based on this prop:<SameOriginSandBox>(allowSameOrigin={true}): The sandbox attribute includesallow-same-origin, and the iframe content is written viacontentDocument.write(). This code is intentionally kept identical to the pre-existing trunk implementation. ThecontentDocument.write()approach is needed becausesrcdocsets the iframe's document URL toabout:srcdoc, a local scheme that causes the browser to send noRefererheader for nested iframe requests. This can break third-party embed providers like YouTube that check the referrer for domain authorization. CallingcontentDocument.open()sets the document URL to the parent page's URL, so nested iframes send a validReferer.<IsolatedSandBox>(allowSameOrigin={false}, default): The sandbox attribute isallow-scripts allow-presentation(noallow-same-origin), and the iframe content is populated via thesrcdocattribute. This gives the iframe an opaque origin with no access to the parent page's cookies or DOM.Only the embed block and cover block's video background opt in, because their HTML comes from the server-side oEmbed pipeline rather than directly from block attributes.
The oEmbed pipeline is safe to grant same-origin access because the HTML is not easily attacker-controlled. When the editor needs embed preview HTML, it calls
getEmbedPreview(url), which makes a REST API request to/oembed/1.0/proxy. WordPress fetches the oEmbed response from the provider, runs it throughwp_filter_oembed_result()(which strips dangerous tags like<script>), and returns sanitized HTML. An attacker injecting acore/embedblock only controls theurlattribute. The actual HTML that reaches the Sandbox comes from this server-side fetch-and-sanitize pipeline.In contrast, the Custom HTML block passes
attributes.contentdirectly to the Sandbox'shtmlprop with no server-side filtering, so this is a much easier attack vector.Note that this only affects script previewing within the editor. Front-end script behavior remains unmodified.
Testing Instructions
First, try the following instructions on
trunk. You should see the XSS behavior that dumps cookies and changes the current document's title on page load:xss-repro-trunk.mov
Insert a Custom HTML block, then click the "JS" tab. Insert this text:
Dumping cookies is a stand-in for more malicious operations like CSRF requests to API endpoints.
Save the page and reload.
See that login cookies are echoed to console and the page's title changes.
Switch to this branch (
fix/sandbox-allow-same-origin), and run the same test. Ensure that the XSS no longer fires:xss-repro-fixed.mov
Use of AI Tools
AI assistance: Yes
Tool(s): Claude Code
Used for: Security analysis of the Sandbox component's iframe isolation and implementation of the
allowSameOriginopt-in prop.