- Issue created by @hooroomoo
- 🇺🇸United States effulgentsia
Editing the JS code of code components requires a
restrict accesspermission, so using non-sandboxed iframes for the various previews isn't a vulnerability, but sandboxing them would help add extra defense against some privilege escalation vectors, so switching the tag from Security to "Security improvements".However, I'm still tagging this as a beta blocker as well, because we want early adopters able to run the beta in production, and this would help provide extra confidence for doing so.
- 🇺🇸United States effulgentsia
I discussed this with @lauriii and we decided that people running beta1 in production can be judicious about to whom they give the permission. It would be nice to get this resolved early in the beta cycle but we don't have to block beta1 on it.
- 🇺🇸United States effulgentsia
We're not targeting this for beta anymore. I'd still like to resolve it relatively soon after beta1, but the "stable blocker" tag plus Critical priority is enough to keep this on our radar for that.
- 🇫🇮Finland lauriii Finland
Moving this to stable target because it is possible to start getting adoption especially with smaller sites prior to having this.
