Skip to content

web: sandbox hardening — opaque-origin inner frame, srcdoc-only, frame-ancestors#1650

Closed
cliffhall wants to merge 2 commits into
v2/mainfrom
v2/1565-sandbox-hardening
Closed

web: sandbox hardening — opaque-origin inner frame, srcdoc-only, frame-ancestors#1650
cliffhall wants to merge 2 commits into
v2/mainfrom
v2/1565-sandbox-hardening

Conversation

@cliffhall

Copy link
Copy Markdown
Member

Closes #1565

Hardens the MCP Apps sandbox isolation model (re-implementation of the relevant slice of PR #1510).

Changes

  • Opaque-origin inner frame — the untrusted-widget iframe is sandboxed without allow-same-origin (default allow-scripts allow-forms), and any server-supplied sandbox value has allow-same-origin stripped case-insensitively. The widget runs under an opaque origin and cannot reach the proxy's DOM to bypass its own CSP via window.parent.
  • srcdoc-only delivery — replaces document.write; srcdoc is the delivery path that works without allow-same-origin.
  • Relay identity check — the inner frame's origin serialises as the literal "null"; the unforgeable check is event.source === inner.contentWindow, with the "null" origin asserted as defense-in-depth.
  • frame-ancestors headersandbox-controller.ts serves the proxy with Content-Security-Policy: frame-ancestors http://127.0.0.1:* http://localhost:*. Fetch directives are deliberately omitted so a srcdoc iframe's inherited policy container does not intersect with / override the per-app CSP.

Tests

  • sandbox-controller.test.ts asserts the frame-ancestors header is present and that default-src/connect-src are absent.
  • MCP Apps demo integration test still passes end-to-end.
  • Full npm run ci passes locally (coverage gate, all smokes, Storybook).

Stacking

First PR in the Wave 2 Apps-host stack. Branches off v2/main; subsequent PRs (#1566 …) stack on this branch.

🤖 Generated with Claude Code

https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

…e-ancestors

Harden the MCP Apps sandbox isolation model:

- The inner (untrusted-widget) iframe is sandboxed WITHOUT `allow-same-origin`
  (default "allow-scripts allow-forms") and any server-supplied sandbox value
  has `allow-same-origin` stripped case-insensitively, so the widget runs under
  an opaque origin and cannot reach the proxy's DOM to bypass its own CSP via
  the parent realm.
- Widget delivery is `srcdoc`-only (no document.write), which respects the
  opaque origin.
- The relay accepts the inner frame's "null" origin with
  `event.source === inner.contentWindow` as the unforgeable identity check.
- sandbox-controller.ts serves the proxy with
  `Content-Security-Policy: frame-ancestors http://127.0.0.1:* http://localhost:*`;
  fetch directives are deliberately omitted so a srcdoc iframe's inherited
  policy container does not override the per-app CSP.

Updated the isolation-model comments and the sandbox-controller integration
test asserts the frame-ancestors header (and the absence of fetch directives).

Closes #1565

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
@cliffhall cliffhall added the v2 Issues and PRs for v2 label Jul 11, 2026
@cliffhall

Copy link
Copy Markdown
Member Author

@claude review

@claude

claude Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Claude finished @cliffhall's task in 2m 20s —— View job


Review: sandbox hardening (PR #1650)

  • Read the changed files
  • Analyze security model (opaque-origin, srcdoc, frame-ancestors, relay identity)
  • Review tests
  • Post review

This is a well-reasoned security hardening. The four moves — dropping allow-same-origin, srcdoc-only delivery, the event.source === inner.contentWindow identity proof, and the frame-ancestors-only proxy header — fit together correctly, and the inline comments are unusually good at documenting why. Below are the things worth confirming; none are blockers.

✅ What's correct and notable

  • Omitting fetch directives from the proxy CSP is the right call. A srcdoc iframe inherits its embedder's CSP policy container, and CSPs combine per-directive as "most restrictive wins." A default-src/connect-src on the proxy header would be inherited by the inner document and intersect with the per-app <meta> CSP from sandbox-csp.ts, silently breaking each app's own allowlist. The comment in sandbox-controller.ts:50-58 captures this precisely. Good.
  • frame-ancestors inheritance is benign here. Even though the inner srcdoc doc inherits frame-ancestors http://127.0.0.1:* http://localhost:*, the proxy's own origin (a localhost/127.0.0.1 port) matches the wildcard-port allowlist, so the inner frame is still allowed to be embedded by the proxy. Worth being aware of, but it works out.
  • The allow-same-origin strip is robust against token-splitting tricks. JS \s is a superset of the ASCII whitespace the HTML sandbox parser tokenizes on, and .toLowerCase() covers the ASCII-case-insensitive match — so no crafted token containing allow-same-origin can survive the filter yet be re-read as that token by the parser.

🟡 Worth considering (non-blocking)

1. safeSandbox can silently disable scripting (fail-closed, but surprising). In sandbox_proxy.html:167-171, if a server supplies a sandbox value that omits allow-scripts (e.g. "allow-same-origin" alone → safeSandbox === ""), the inner frame is set to the most-restrictive sandbox and the app never runs. This is safe (fails closed) and largely matches prior behavior, but a hostile/buggy server could brick an app with no diagnostic. Consider guaranteeing allow-scripts remains, or at least logging when the sanitized value drops it. Fix this →

2. Security-critical inline-script logic has no direct unit test. The strip, the srcdoc assignment, and the INNER_ORIGIN === "null" check all live in the sandbox_proxy.html inline script and are only exercised indirectly by the MCP Apps demo integration test. The strip in particular is the primary new defensive boundary — a focused test (extracting the token-filter into a testable helper, or asserting proxy behavior in the integration suite) would guard against regressions. Understood that inline HTML scripts are awkward to cover under the ≥90 gate; flagging for completeness.

3. Unrelated lockfile churn. All four package-lock.json files drop "version": "2.0.0" and clients/launcher/package-lock.json gains ~550 lines of @emnapi/* / @napi-rs/wasm-runtime optional deps. None of this relates to sandbox hardening — it looks like incidental npm install regeneration. The version drop is consistent with the "single version number" invariant, but consider splitting the launcher lock changes out so the security diff stays focused (and to make the added transitive deps a deliberate, reviewable change rather than a side effect).

Nits

  • sandbox_proxy.html:100 — the window.top?.alert(...) self-test relies on window.top throwing a SecurityError; unchanged by this PR and still correct, just noting it depends on the proxy being cross-origin to the top frame (different port), which the sandbox-controller guarantees.

Overall: solid, defensible isolation model with good documentation. My only substantive asks are optional (test coverage for the strip, and keeping the lockfile noise out of the security diff).
· branch v2/1565-sandbox-hardening

…tal lockfile churn

Addresses the claude[bot] review on PR #1650:
- sandbox_proxy.html: log a console.warn when a server-supplied `sandbox`
  value lacks `allow-scripts` after the `allow-same-origin` strip, so a
  fail-closed (app-never-runs) sandbox is diagnosable instead of silent.
- Restore clients/{cli,launcher,tui,web}/package-lock.json to their
  v2/main state — the earlier churn (@emnapi/@napi-rs optional deps, a
  dropped version field) was incidental `npm install` regeneration
  unrelated to the sandbox change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw
@cliffhall

Copy link
Copy Markdown
Member Author

Thanks for the thorough review. Addressed in cdd166d:

  1. safeSandbox can silently disable scripting — Applied (as the "log when dropped" option). After stripping allow-same-origin, the proxy now console.warns when the sanitized token list lacks allow-scripts, so a fail-closed sandbox is diagnosable rather than silent. I kept it fail-closed rather than force-injecting allow-scripts, so a server that deliberately narrows the sandbox still gets what it asked for — just with a visible diagnostic.

  2. No direct unit test for the inline strip — Declined, with reason. The strip / srcdoc assignment / INNER_ORIGIN === "null" checks live in the inline script of sandbox_proxy.html, which is served as a self-contained static page and can't be imported or executed under happy-dom. Extracting the token-filter into an external module would change the trusted-proxy delivery model (the proxy must ship as one static file the sandbox controller serves verbatim). It stays covered indirectly by the mcp-app-demo integration test. Flagging as a known coverage limitation, consistent with your note.

  3. Unrelated lockfile churn — Applied. Reverted clients/{cli,launcher,tui,web}/package-lock.json to their v2/main state; the @emnapi/@napi-rs additions and dropped version field were incidental npm install regeneration in my worktree, not deliberate dep changes. The diff is now sandbox-only.

Nit (window.top self-test): acknowledged, no change — unchanged by this PR and still correct given the proxy is cross-origin (different port) to the top frame.

npm run ci is green after the changes.

@cliffhall

Copy link
Copy Markdown
Member Author

@claude review

@claude

claude Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Claude finished @cliffhall's task in 1m 8s —— View job


Re-review: sandbox hardening (PR #1650)

  • Read the updated files (sandbox_proxy.html, sandbox-controller.ts, tests)
  • Verify the three feedback items from the prior round
  • Check for regressions / new edge cases
  • Post review

Thanks for the fast turnaround, @cliffhall. I re-checked the commit cdd166df against origin/v2/main — all three items land cleanly, and the reasoning for the one you declined is sound. Ship it.

✅ Verified resolutions

1. safeSandbox silent-brick → now diagnosable. sandbox_proxy.html:167-180 filters into safeTokens, then console.warns when the sanitized list lacks allow-scripts before applying it. I like that you kept it fail-closed (a server that deliberately narrows the sandbox still gets exactly what it asked for) and only added the diagnostic — that's the right trade-off. I also traced the empty-string edge (sandbox: ""): "".split(/\s+/)[""] → filtered to [], so the warn fires and the frame gets the most-restrictive sandbox="" — fail-closed and visible. Good.

2. No direct unit test for the inline strip → declined, reasonably. Agreed. The strip / srcdoc / INNER_ORIGIN logic lives in the verbatim-served static proxy, which can't be imported under happy-dom, and extracting it into a module would change the trusted-proxy delivery model. Indirect coverage via the mcp-app-demo integration test plus the well-documented inline comments is an acceptable state for a security boundary that must ship as one static file. Noted as a known limitation, not a blocker.

3. Lockfile churn → fully reverted. Confirmed with a direct diff against base — all four lockfiles are now byte-identical to v2/main:

clients/cli/package-lock.json: 0
clients/launcher/package-lock.json: 0
clients/tui/package-lock.json: 0
clients/web/package-lock.json: 0

The diff is now sandbox-only. 👍

Nits from last round

  • window.top self-test (sandbox_proxy.html:96-110) — acknowledged, no change, still correct.
  • The new console.warn is [Sandbox]-prefixed, matching the existing console.error relay diagnostics — consistent, no action needed.

Nothing further from me. The isolation model (opaque-origin inner frame · srcdoc-only · event.source === inner.contentWindow identity proof · frame-ancestors-only proxy CSP) is coherent, and the inline comments explaining why fetch directives are omitted from the proxy header remain the standout part of this change. LGTM. ✅
· branch v2/1565-sandbox-hardening

@cliffhall

Copy link
Copy Markdown
Member Author

Superseded by the wave rollup PR #1660 (retargeted to v2/main), which contains this change as part of the full cumulative diff. Closing this per-issue PR in favor of the rollup so the wave merges as one PR. Branch retained until #1660 merges; the linked issue will be closed and its board card moved to Done when the rollup lands.

@cliffhall cliffhall closed this Jul 12, 2026
cliffhall added a commit that referenced this pull request Jul 12, 2026
…1660)

* web: sandbox hardening — opaque-origin inner frame, srcdoc-only, frame-ancestors

Harden the MCP Apps sandbox isolation model:

- The inner (untrusted-widget) iframe is sandboxed WITHOUT `allow-same-origin`
  (default "allow-scripts allow-forms") and any server-supplied sandbox value
  has `allow-same-origin` stripped case-insensitively, so the widget runs under
  an opaque origin and cannot reach the proxy's DOM to bypass its own CSP via
  the parent realm.
- Widget delivery is `srcdoc`-only (no document.write), which respects the
  opaque origin.
- The relay accepts the inner frame's "null" origin with
  `event.source === inner.contentWindow` as the unforgeable identity check.
- sandbox-controller.ts serves the proxy with
  `Content-Security-Policy: frame-ancestors http://127.0.0.1:* http://localhost:*`;
  fetch directives are deliberately omitted so a srcdoc iframe's inherited
  policy container does not override the per-app CSP.

Updated the isolation-model comments and the sandbox-controller integration
test asserts the frame-ancestors header (and the absence of fetch directives).

Closes #1565

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* web: enforce per-app _meta.ui.csp in the app bridge + surface resource-read failures

- createAppBridgeFactory now builds each app's `_meta.ui.csp` host-side via the
  sandbox-csp library (approveCspSources → buildSandboxCspPolicy) and wraps the
  untrusted widget HTML with wrapSandboxedHtml so the CSP <meta> is always the
  first <head> child before the HTML reaches the sandboxed iframe. The approved
  (post-filter) csp + permissions are echoed back via hostCapabilities.sandbox
  so the view sees what was granted. The csp is no longer sent inline through
  sendSandboxResourceReady — it is enforced via the wrapped meta.
- A per-app copy of HOST_CAPABILITIES prevents the sandbox echo from mutating
  the shared constant.
- New optional `onResourceError` dep on AppBridgeFactoryDeps routes resource
  read/post failures to the caller (also always console.error'd) instead of
  leaving a silent blank frame.

Closes #1566

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* web: full hostContext delivery + live host-context-changed updates

- createAppBridgeFactory now seeds the full hostContext via
  snapshotHostContext(iframe, HOST_AVAILABLE_DISPLAY_MODES): theme, styles
  (Mantine design tokens), displayMode ("inline"), availableDisplayModes, and
  containerDimensions — replacing the theme-only seed. The local currentTheme
  helper is dropped in favor of hostContext.ts.
- AppRenderer gains `displayMode` and `containerRef` props and pushes live
  host-context changes via the SDK's sendHostContextChange (partial
  host-context-changed notifications), never a hand-maintained snapshot:
  - theme + styles via a MutationObserver on <html data-mantine-color-scheme>,
  - containerDimensions via a ResizeObserver on the host container (or the
    iframe fallback), gated on `initialized`, skipping 0x0 and value-equal
    repeats, plus a one-shot push on initialize once layout settles,
  - displayMode whenever the prop changes (Maximize/Restore), gated on init.

Adds AppRenderer host-context tests (theme flip incl. resolved styles,
displayMode push + init gate, container-dimensions on init and resize, observer
teardown) and updates the factory + story mocks for the new hostContext shape
and sendHostContextChange method.

Closes #1567

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* web: honor ui/notifications/size-changed and ui/request-display-mode

AppRenderer:
- New `onSizeChange` prop forwards the view's ui/notifications/size-changed
  reports (via the bridge `sizechange` event).
- New `onRequestDisplayMode` prop backs an `onrequestdisplaymode` bridge handler
  that returns the mode the host actually applied; with no handler the request
  is declined by returning the current host-side mode (falling back to inline).

AppsScreen:
- Adds a host-controlled RendererContainer (measured for containerDimensions)
  with an inner box sized by the view-reported height (`appHeight`), so
  host→view container size and view→host size-changed don't couple.
- `handleSizeChange` records the reported height (ignored while maximized);
  `displayMode` is derived from the maximize toggle and pushed to the view;
  `handleRequestDisplayMode` filters against HOST_AVAILABLE_DISPLAY_MODES
  (declining e.g. "pip") and maps fullscreen↔inline onto the maximize state.

Adds AppRenderer tests (size forwarding, request-display-mode apply/decline/
fallback) and AppsScreen tests (frame sizing on report, no-height ignore,
fullscreen/restore/decline via request-display-mode). Story mocks gain
sendHostContextChange/addEventListener.

Closes #1568

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* web: honor ui/download-file with confirmation and http(s) allowlist

createAppBridgeFactory now advertises the `downloadFile` host capability and
attaches an `ondownloadfile` handler:

- Requires a host-mediated confirmation (window.confirm) listing the requested
  file(s); a declined prompt or an empty payload returns isError without acting.
- Inline EmbeddedResources (text or base64 blob) are written to disk via the
  shared downloadBlob object-URL anchor; base64 is decoded via base64ToBytes.
- ResourceLinks are opened in a new tab, restricted to http(s) by the shared
  isHttpUrl allowlist (javascript:/data:/file:/malformed are rejected).
- Labels shown in the confirmation are sanitized (control + format chars
  stripped, length clamped) so a server-supplied filename/URI can't inject
  newlines or reflow the prompt.
- Partial-batch success is surfaced (isError only when nothing downloaded), with
  skipped items warned.

Adds factory tests for the full download surface (text/blob/link, decline,
empty, throw, non-http rejection, label sanitization/clamping, partial batch).

Closes #1569

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* web: surface ui/message and app logging in panels below the running app

AppRenderer:
- New `onMessage` prop backs an `onmessage` bridge handler that surfaces the
  view's ui/message content and returns the spec-required empty result;
  with no handler the submission is declined (isError).
- New `onLog` prop forwards MCP `notifications/message` log entries via the
  bridge `loggingmessage` event, honoring the advertised `logging` capability.

AppsScreen:
- Adds `messages`/`appLogs` state (cleared with the reported height on
  select/open/close/back via resetAppChannels) and `handleMessage`/`handleLog`.
- Renders a "Messages from app" panel (data-testid="apps-messages", reusing
  ContentViewer) and a default-expanded collapsible "App logs" panel
  (data-testid="apps-logs", reusing LogLevelBadge) with logger names and a
  Clear button, both as pinned panels below the running widget.

Adds AppRenderer tests (log forward + no-handler no-throw, ui/message
route/empty-result/decline) and AppsScreen tests (message log render + empty
result + clear-on-close, log panel expand/collapse/clear).

Closes #1570

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* web: stage partial input — replay tool-input-partial before final tool input

AppRenderer:
- New `partialInputs` prop (ordered fragments), snapshotted into pendingPartials
  at bridge-build time (read via a ref so prop churn never rebuilds the iframe)
  and cleared on dispose. flushPending replays them via
  bridge.sendToolInputPartial BEFORE the complete tool-input, per spec.

AppsScreen:
- New `partialStages` state + `handleStagePartialInput` (snapshots current form
  values). resetAppChannels gains a `keepPartials` option so Open App preserves
  the staged fragments (they're consumed by the renderer) while select/close/
  back clear them.
- Adds a "Stage partial input" control (fielded apps only) with a staged count
  and "Clear staged", wired to AppRenderer's `partialInputs`.

Adds AppRenderer tests (ordered replay before tool-input; none when omitted) and
AppsScreen tests (stage/count/clear gated on fields; staged partials survive
Open and are replayed).

Closes #1571

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* web: app lifecycle status + machine-readable data attributes on the Apps screen

AppRenderer:
- New AppRendererStatus ("loading" | "ready" | "error") + onAppStatusChange
  callback. Fires "loading" at the start of every (re)build, "ready" on the
  view's initialized signal, and "error" on a factory throw/rejection.

AppsScreen:
- appStatus/appError state; handleAppError captures the reason locally and
  forwards to the parent onError. resetAppChannels clears both.
- Surfaces the contract as data-testid="apps-form" carrying data-app-status and
  data-app-error, renders an error panel (data-testid="apps-error") in place of
  the blank frame, and tags the stage button data-testid="apps-stage".
- AppDetailPanel's Open App button gains data-testid="open-app".

App.tsx:
- Wires the bridge factory's onResourceError to a red toast so a malformed/404
  UI resource is no longer console-only (the renderer separately drives
  data-app-status, so a driver times out on never-reaching-ready and reads it).

Documents the data-testid/data-* automation contract in clients/web/README.md.
Adds AppRenderer status-transition tests and AppsScreen status/error-panel
tests.

Closes #1572

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: warn when server sandbox drops allow-scripts + revert incidental lockfile churn

Addresses the claude[bot] review on PR #1650:
- sandbox_proxy.html: log a console.warn when a server-supplied `sandbox`
  value lacks `allow-scripts` after the `allow-same-origin` strip, so a
  fail-closed (app-never-runs) sandbox is diagnosable instead of silent.
- Restore clients/{cli,launcher,tui,web}/package-lock.json to their
  v2/main state — the earlier churn (@emnapi/@napi-rs optional deps, a
  dropped version field) was incidental `npm install` regeneration
  unrelated to the sandbox change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: document CSP-vs-permissions filtering asymmetry (PR #1652)

Address the claude[bot] review's finding #2: add a comment explaining why
`csp` is injection-filtered (approveCspSources) while `permissions` is passed
through verbatim — permissions is a structured boolean object consumed only by
the sandbox proxy's buildAllowAttribute() (fixed key→token mapping), so it
never reaches the iframe sandbox/allow attribute as raw text. No logic change.

Also merges v2/1565-sandbox-hardening (review fixes) up the stack.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* test: lock in per-app HOST_CAPABILITIES isolation (PR #1652 round 2)

Add a test asserting the shared HOST_CAPABILITIES.sandbox stays undefined after
a sandboxready run sets hostCapabilities.sandbox — guards against a silent
regression if the per-app spread copy were ever dropped.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: gate theme observer on initialized + document seed/dep assumptions (PR #1654)

Address the claude[bot] review:
- Finding #1 (applied): gate the theme+styles MutationObserver on the view's
  `initialized` signal, matching the container/displayMode pushes — a theme
  flip in the construction→handshake window no longer races ui/initialize. The
  factory seeds the construction-time theme, and the first post-init flip
  carries the current value. Added tests: pre-init flip is dropped; the live
  flip test now completes the handshake first.
- Finding #2 (applied, comment): note in snapshotHostContext that the
  `displayMode: "inline"` seed assumes inline-at-open (AppsScreen always opens
  inline; #1568's displayMode push carries transitions).
- Finding #4 (applied, comment): explain why `containerRef` is a build-effect
  dep yet doesn't force a rebuild (sameInputs ignores it; read lazily).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: guard 0-height size reports, distinct RendererFrame, shared payload type (PR #1656)

Address the claude[bot] review:
- #1 (applied): handleSizeChange ignores a non-positive height — a view's
  ResizeObserver can transiently fire 0 pre-layout/teardown, which would
  collapse the frame; mirrors AppRenderer's 0×0 skip. Added a test.
- #2 (applied): reinstate a distinct `RendererFrame` constant for the inner
  content-sized box so its role reads clearly vs. the outer RendererContainer.
- #3 (declined + comment): keep carrying `appHeight` across maximize→restore —
  clearing it would flash the frame to full-card height until the next
  size-changed; the carry-over restores at the prior size. Documented.
- #4 (applied): type handleSizeChange's param as AppBridgeEventMap["sizechange"]
  so the payload shape has a single source of truth with AppRenderer's prop.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: distinguish links, cap batch size, comment truncation (PR #1657)

Address the claude[bot] review:
- #1 (applied): the confirmation now reads "download or open N item(s)" and
  resource_links are prefixed "↗" in the summary, so a link that opens in a tab
  is distinguishable from an embedded file that saves to disk.
- #2 (applied): cap a single ui/download-file batch at MAX_DOWNLOAD_ITEMS (20);
  an oversized batch is rejected (isError) before the prompt, with a warn.
- #3 (declined): can't check window.open's return value to detect a blocked
  popup — we pass `noopener`, and per spec window.open returns null even on a
  successful noopener open, so null can't distinguish blocked from succeeded.
- #4b (applied, comment): note the start-of-label truncation is intentional so a
  link's scheme+host stays visible for the trust decision.

Adds tests: oversized batch rejected without confirming/acting; resource-link ↗
prefix in the summary.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: skip embedded resource with neither text nor blob (PR #1657 round 2)

Address the round-2 observation: an untrusted EmbeddedResource carrying neither
`blob` nor a string `text` previously produced `new Blob([undefined])` — a file
containing the literal text "undefined", counted as success. Now such an item
is skipped (returns false, like a rejected link), so isError reflects it. Added
a test asserting no object URL is created and the batch reports isError.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: type-honest formatLogData, cap channels, log-panel a11y (PR #1658)

Address the claude[bot] review:
- #1 (applied): formatLogData coalesces JSON.stringify(undefined) → "" so the
  `: string` return type is honest for a data-less log.
- #2 (applied): cap retained messages/logs at MAX_APP_CHANNEL_ENTRIES (500) via
  appendCapped — a chatty widget no longer grows the panels/DOM without bound
  between Clear/close; oldest entries drop.
- #3 (declined): keep the Messages panel without a Clear/collapse — messages are
  sparser and already cleared on close/switch; keeping it simple.
- #4 (applied): the App-logs toggle now has aria-controls pointing at the
  Collapse region (id="apps-logs-region") for assistive tech.

Adds tests: no-data log renders (coalesce branch), 501 logs cap at 500 (oldest
dropped), aria-controls assertion.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: stable id key for Messages panel (PR #1658 round 2)

Address the round-2 nit: give AppMessage a stable `id` (assigned via
nextMessageIdRef in handleMessage) and key the Messages panel on it instead of
the array index — so the appendCapped front-drop can't renumber keys once a run
exceeds the cap, matching AppLogEntry's treatment.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: note partialStages intentionally survives handleOpen (PR #1659)

Address the claude[bot] review's observation #2: add a comment at the
handleOpen call site clarifying that partialStages is intentionally NOT cleared
there — AppRenderer snapshots the fragments into its own pendingPartialsRef at
build time, and the staging UI only renders while not running, so the surviving
state is invisible until the next reset drains it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

* review: align error-panel docs with behavior + gate data-app-error on running (PR #1660)

Address the claude[bot] review:
- #1 (applied, docs): the error panel renders BELOW the (blank) frame, not in
  place of it — the renderer stays mounted so a factory error still shows the
  reason alongside the iframe (gating the frame off on error would drop the
  auto-launched iframe an integration test relies on). Reworded the README row
  and the test comment to say "below the frame"; added a code comment.
- #2 (applied): gate data-app-error on `running` (like data-app-status) so the
  two attributes can't desync if a future path sets an error without running.
- #3 (no change): resource-read failures staying at data-app-status="loading"
  (toast only) is intentional and documented.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BrihGWcrM9JGRyu41nzZYw

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cliffhall cliffhall deleted the v2/1565-sandbox-hardening branch July 12, 2026 02:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

v2 Issues and PRs for v2

Projects

None yet

Development

Successfully merging this pull request may close these issues.

web: sandbox hardening — opaque-origin inner frame, srcdoc-only delivery, frame-ancestors CSP

1 participant