This repository was archived by the owner on Jun 4, 2026. It is now read-only.
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Uh oh!
There was an error while loading. Please reload this page.
-
决策
iframe runtime 使用
sandbox="allow-scripts"、srcdoc、随机 runId、CSP、postMessage 协议、event.source校验、runId 校验和消息 schema 校验。每次运行创建全新 iframe,并设置 3s timeout。备选方案
理由
sandbox iframe 是 opaque origin,子页面向父页面发送消息只能使用
postMessage(..., "*"),但父页面不能把*当作信任边界。最新方案明确 runtime message 协议和失控处理。影响
父页面只接受来自当前 iframe.contentWindow 且 runId 匹配、schema 合法的消息。timeout、error、blocked alert 都写入运行事件。任何 previewHtml 回放都只能进入新的 sandbox iframe。
Beta Was this translation helpful? Give feedback.
All reactions