Starting Thursday, March 30th, 2023, we will implement sandboxing for all apps running in iframes (view apps)!
These apps will be subject to additional security measures to help protect our users from XSS attacks by only allowing specific actions in the sandboxed environment.
While we do not expect this update to break anything, we recommend testing all the flows in your app in the sandboxed environment just to be sure. You can do so by adding the
_apps_sandbox=v1 query param to a monday URL.
On June 28th, 2023, we will then implement the second part of sandboxing by limiting these apps’ actions and only allowing the following directives in our iframes:
allow-forms: Allows the page to submit forms. The form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server, or closing a dialog if this keyword is not used.
allow-downloads: Allows downloading files through an
<area>element with the download attribute and through the navigation that leads to a file download. This works regardless of whether the user clicked on the link or JS code initiated it without user interaction.
allow-presentation: Allows embedders to have control over whether an iframe can start a presentation session.
allow-scripts: Allows the page to run scripts (but not create pop-up windows). This operation is not allowed if this keyword is not used.
We again recommend testing your app in the sandboxed environment with the new restrictions to ensure nothing breaks. You can do so by adding the
_apps_sandbox=v2 query param to a monday URL. If something breaks and there’s no workaround, please complete a support request so we can find a resolution.
Keep your eyes out for more reminders as we get closer to implementing the second part of sandboxing!