From 734cabeff3805adc48bb3c5988f0f6591d0786cb Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Sat, 20 Jun 2026 11:08:56 -0700
Subject: [PATCH] fix(security): unsafe html iframe sandbox configuration
 allows sa

The LiveBrowserView component uses `sandbox="allow-scripts allow-same-origin allow-forms"` on an iframe. The combination of `allow-scripts` and `allow-same-origin` effectively removes most sandbox protections, allowing the embedded content to access the parent's cookies, storage, and DOM if same-origin. Additionally, `allow-forms` enables form submission. The stream token is passed via URL fragment, which while keeping it out of server logs, is still accessible to JavaScript in the iframe. If the nekoUrl is ever same-origin or becomes same-origin through DNS hijacking, this creates a significant attack surface.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 desktop/src/apps/BrowserApp/LiveBrowserView.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/desktop/src/apps/BrowserApp/LiveBrowserView.tsx b/desktop/src/apps/BrowserApp/LiveBrowserView.tsx
index e37eea2d0..5be695591 100644
--- a/desktop/src/apps/BrowserApp/LiveBrowserView.tsx
+++ b/desktop/src/apps/BrowserApp/LiveBrowserView.tsx
@@ -21,7 +21,7 @@ export function LiveBrowserView({ nekoUrl, streamToken }: LiveBrowserViewProps)
     <iframe
       title="Full browser"
       src={src}
-      sandbox="allow-scripts allow-same-origin allow-forms"
+      sandbox="allow-scripts allow-forms"
       style={{ width: "100%", height: "100%", borderStyle: "none", borderWidth: 0, display: "block" }}
     />
   );