An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.

[dh-harald]

Hi,

I'm getting this error message in javascript console. Hopefully, some security stuffs in the newer firefox (69.0.2).

Can you fix this somehow?

[rgruebel]

Sorry for the late feedback. I can repoduce the problem with firefox, but I have not found a solution yet. Maybe someone else has an idea?

[codewise-nicolas]

I checked my firefox, v73 (developer edition) and I can see the message as a warning, but not as an error. As a warning, its just precautionary to let us know it can escape the sandbox.

Do you see it as an error?
Do you feel this is preventing your installation from working ?

The sandbox="" attribute comes from HASS, by using the panel_iframe function.
To change the attributes would require going to HASS, specifically in the file ha-panel-iframe.html
As per this SO answer https://stackoverflow.com/questions/35208161/is-it-safe-to-have-sandbox-allow-scripts-allow-popups-allow-same-origin-on-if
allow-same-origin is not safe to use normally.

I would suggest you bring this up with the HASS developers to remove it, or to allow the config to set which attributes are used/set on iframes; as sometimes the iframe is pointing to our own local code which we deem safe and other times it may point to 3rd party where we want protections in place.

[rgruebel]

@codewise-nicolas
Looks like it works again with the current version. In a previous version it was an error and the map was not displayed