The new log viewer implementation loads a third party domain into an iframe. To reduce the damage that can be done, we should set the `sandbox` property for the iframe to a suitable value, to limit the iframe content's ability to affect Treeherder. See: https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe
The iframe that needs the `sandbox` attribute setting is here: https://github.com/mozilla/treeherder/blob/2a6d6f9b10f2a487a43cee0b240701991bed4ed4/ui/partials/logviewer/logviewer.html To test, follow the instructions here: https://treeherder.readthedocs.io/ui/installation.html#running-the-standalone-development-server And then visit a URL like: http://localhost:5000/logviewer.html#?job_id=128312507&repo=mozilla-inbound ...and compare with the stage version, checking everything still loaded: https://treeherder.allizom.org/logviewer.html#?job_id=128312507&repo=mozilla-inbound If there were errors in the web console, you may need to use the `sandbox` settings to add back a few permissions. Note: If more than 4 months have passed since this comment, that job will no longer exists, and you'll need to find another job_id / log page to use as an example, by visiting stage (https://treeherder.allizom.org/#/jobs?repo=mozilla-inbound), clicking on a job and using the log icon on the bottom panel. Once you're happy with the change, open a pull request with a title of form "Bug NNNNNN - MESSAGE" and a bot will create a link attachment here, that you can set the "review?" flag on and pick me from the suggested reviewers list.
Created attachment 8921309 [details] [review] [treeherder] amychan331:set-sandbox-attribute > mozilla:master
Commit pushed to master at https://github.com/mozilla/treeherder https://github.com/mozilla/treeherder/commit/32c549dc2800f1ca4611ec9e2e8f83cc2e38fc68 Bug 1328710 - Enable sandboxing for the logviewer iframe (#2867) To improve security. See: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/