From 571b6089a4b5b78927e053b899b09a6af37037aa Mon Sep 17 00:00:00 2001
From: Veloman Yunkan <veloman.yunkan@gmail.com>
Date: Mon, 6 Mar 2023 18:17:52 +0400
Subject: [PATCH] A pseudosafe iframe

This prevents scripts running inside an iframe from inadvertently
manipulating the top browsing context. However a malicious script could
still remove the sandboxing imposed on it (because the combination of
"allow-same-origin" and "allow-scripts" is vulnerable).
---
 static/viewer.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/static/viewer.html b/static/viewer.html
index 571bc5780..5d12fadda 100644
--- a/static/viewer.html
+++ b/static/viewer.html
@@ -69,6 +69,7 @@
 
     <iframe id="content_iframe"
             referrerpolicy="same-origin"
+            sandbox="allow-same-origin allow-scripts"
             onload="on_content_load()"
             src="./skin/blank.html?KIWIXCACHEID" title="ZIM content" width="100%"
             style="border:0px">