Add allow same origin to the iFrame widget

[bosiraphael]

Some iFrames were unusable because of this

[greptile-apps]

Greptile Overview

Greptile Summary

Added allow-same-origin to the iframe sandbox attribute to enable same-origin iframe functionality.

• Enabled same-origin access for iframes by adding allow-same-origin to the sandbox attribute
• This change fixes unusable iframes that require same-origin access but introduces security considerations
• The backend validates URLs using @IsUrl() decorator, but combining allow-same-origin with allow-scripts significantly reduces sandbox protections

Confidence Score: 3/5

• This PR introduces a security consideration that needs verification before merging
• The change is minimal and solves a real problem, but allow-same-origin combined with allow-scripts creates a security concern. While the backend validates URLs, the effectiveness depends on whether iframe URLs can only come from trusted admin-controlled sources or if they can be influenced by users. The code itself is clean and functional.
• Verify that IframeWidget.tsx iframe URLs are strictly controlled and cannot be manipulated by untrusted users

Important Files Changed

File Analysis

Filename	Score	Overview
packages/twenty-front/src/modules/page-layout/widgets/iframe/components/IframeWidget.tsx	3/5	Added allow-same-origin to iframe sandbox attribute to enable same-origin iframes, which has security implications

Sequence Diagram

sequenceDiagram
    participant User
    participant IframeWidget
    participant Backend
    participant ExternalSite

    User->>Backend: Create/Update Widget with URL
    Backend->>Backend: Validate URL (@IsUrl decorator)
    Backend-->>User: Widget saved with validated URL
    
    User->>IframeWidget: Render widget on page
    IframeWidget->>IframeWidget: Check isPageLayoutInEditMode
    IframeWidget->>IframeWidget: Validate URL exists
    IframeWidget->>ExternalSite: Load iframe with sandbox="allow-scripts allow-forms allow-popups allow-same-origin"
    Note over IframeWidget,ExternalSite: NEW: allow-same-origin enables<br/>same-origin access (cookies, localStorage, DOM)
    ExternalSite-->>IframeWidget: Render content with same-origin privileges
    IframeWidget->>IframeWidget: Handle onLoad/onError events
    IframeWidget-->>User: Display iframe or error state

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: allow-same-origin combined with allow-scripts removes most sandbox protections. The iframe can now access its own origin (cookies, localStorage, DOM), potentially enabling XSS if the URL source is compromised. Verify that iframe URLs come from trusted sources only and cannot be user-controlled.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/twenty-front/src/modules/page-layout/widgets/iframe/components/IframeWidget.tsx
Line: 106:106

Comment:
**logic:** `allow-same-origin` combined with `allow-scripts` removes most sandbox protections. The iframe can now access its own origin (cookies, localStorage, DOM), potentially enabling XSS if the URL source is compromised. Verify that iframe URLs come from trusted sources only and cannot be user-controlled.

How can I resolve this? If you propose a fix, please make it concise.

[prastoin]

Hey there, that's pretty risky
I would either opt to pass credentials to the invoked iframe rather than consuming its own cookies 🤔
I honestly don't know what's the most suitable here

[github-actions]

🚀 Preview Environment Ready!

Your preview environment is available at: http://bore.pub:18183

This environment will automatically shut down when the PR is closed or after 5 hours.

[charlesBochet]

IMO this is completely safe for two reasons:

• users are responsible to what they install / setup in their workspace. If they want to hack themselves, they can. (instead of hacking themselves through an iframe, let's just make a chrome extension :p)
• none of the browsers allow any scripting / sharing between a host and an iframe having different hosts (scheme + subdomain + domain + protocol have to be exactly equal). So the only way to hack my-twenty.twenty.com is to host an iframe on... my-twenty.twenty.com), which lead to "hack myself" scenario too

[twenty-eng-sync]

Hey @bosiraphael! After you've done the QA of your Pull Request, you can mark it as done here. Thank you!