fix(security): sandbox mdviewer iframe without allow-same-origin

- Remove allow-same-origin from mdviewer sandbox to prevent malicious
  scripts in rendered markdown from accessing Phoenix context
- Strip allow-forms, allow-modals, allow-pointer-lock (not needed)
- No sandbox in test windows for integration test compatibility
- Silently ignore "null" origin messages in EventManager (sandboxed iframes)
- Switch slash-menu frecency to in-memory store (localStorage unavailable)

Author: abose

src-mdviewer/src/components/slash-menu.js

@@ -79,12 +79,14 @@ function fuzzyScore(query, text) {
 const FRECENCY_KEY = "mdviewr-slash-frecency";
 const DECAY_DAYS = 7;
 
+// In-memory frecency store (localStorage unavailable in sandboxed iframe without allow-same-origin)
+let _frecencyData = {};
+
 function loadFrecency() {
-  try { return JSON.parse(localStorage.getItem(FRECENCY_KEY)) || {}; }
-  catch { return {}; }
+  return _frecencyData;
 }
 function saveFrecency(data) {
-  try { localStorage.setItem(FRECENCY_KEY, JSON.stringify(data)); } catch {}
+  _frecencyData = data;
 }
 function recordUsage(id) {
   const d = loadFrecency();

src/extensionsIntegrated/Phoenix-live-preview/main.js

@@ -125,11 +125,27 @@ define(function (require, exports, module) {
 
     const LIVE_PREVIEW_PANEL_ID = "live-preview-panel";
     const LIVE_PREVIEW_IFRAME_ID = "panel-live-preview-frame";
+    const _sandboxAttr = Phoenix.isTestWindow ? "" :
+        'sandbox="allow-same-origin allow-popups allow-popups-to-escape-sandbox allow-scripts allow-forms allow-modals allow-pointer-lock"';
     const LIVE_PREVIEW_IFRAME_HTML = `
     <iframe id="${LIVE_PREVIEW_IFRAME_ID}" title="Live Preview" style="border: none"
              width="100%" height="100%" seamless="true"
              src='about:blank'
-             sandbox="allow-same-origin allow-popups allow-popups-to-escape-sandbox allow-scripts allow-forms allow-modals allow-pointer-lock">
+             ${_sandboxAttr}>
+    </iframe>
+    `;
+
+    // Mdviewer renders untrusted markdown — tighter sandbox than live preview:
+    // no allow-same-origin (prevents malicious scripts from accessing Phoenix context),
+    // no allow-forms, allow-modals, allow-pointer-lock (not needed for markdown editing).
+    // Communication works via MarkdownSync's own message handler (bypasses EventManager origin check).
+    const _mdSandboxAttr = Phoenix.isTestWindow ? "" :
+        'sandbox="allow-scripts allow-popups allow-popups-to-escape-sandbox"';
+    const MDVIEWR_IFRAME_HTML = `
+    <iframe id="${LIVE_PREVIEW_IFRAME_ID}" title="Live Preview" style="border: none"
+             width="100%" height="100%" seamless="true"
+             src='about:blank'
+             ${_mdSandboxAttr}>
     </iframe>
     `;
 
@@ -906,9 +922,9 @@ define(function (require, exports, module) {
             $mdviewrIframe.show();
             $iframe = $mdviewrIframe;
         } else if (panel.isVisible()) {
-            // First time: create the md iframe
+            // First time: create the md iframe (tighter sandbox for untrusted content)
             const mdviewrURL = StaticServer.getMdviewrURL();
-            let newIframe = $(LIVE_PREVIEW_IFRAME_HTML);
+            let newIframe = $(MDVIEWR_IFRAME_HTML);
             newIframe.insertAfter($iframe);
             $iframe.remove();
             $iframe = newIframe;

src/utils/EventManager.js

@@ -167,6 +167,11 @@ define(function (require, exports, module) {
      */
     window.onmessage = function(event) {
         if(!(Phoenix.TRUSTED_ORIGINS[event.origin] || eventTrustedOrigins[event.origin])){
+            // Sandboxed iframes without allow-same-origin send "null" origin —
+            // silently ignore these as they communicate via their own message handlers.
+            if(event.origin === "null") {
+                return;
+            }
             console.error(`Ignoring event from untrusted origin (should be one of `
                 + `${Object.keys(Phoenix.TRUSTED_ORIGINS)}, ${Object.keys(eventTrustedOrigins)}) but got: `, event);
             console.error('Forgot to set window.Phoenix.TRUSTED_ORIGINS["http://<yourdomain.com>"]=true; ?');