fix

2026-05-31 21:39:28 +00:00 · 2026-02-11 15:38:05 -08:00 · 2026-02-11 15:38:05 -08:00 · a8e3280b7d
commit a8e3280b7d
parent b8f5e533c5
2 changed files with 52 additions and 2 deletions
--- a/index.html
+++ b/index.html
@ -4,9 +4,57 @@
 		<meta charset="UTF-8" />
 		<link rel="icon" type="image/x-icon" href="/favicon.ico" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<!-- Content Security Policy: CDN allowlist for agent-generated HTML -->
 		<meta
 			http-equiv="Content-Security-Policy"
-			content="script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.amplitude.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://unpkg.com https://ajax.googleapis.com https://raw.githubusercontent.com https://cdn.plot.ly https://d3js.org https://cdn.datatables.net https://cdn.chart.js https://cdn.canvasjs.com https://cdn.amcharts.com https://threejs.org https://pixijs.download https://cdn.babylonjs.com https://aframe.io https://cesium.com https://cdn.lottiefiles.com https://code.jquery.com https://stackpath.bootstrapcdn.com https://cdn.tailwindcss.com https://cdn.socket.io https://cdn.firebase.com https://maps.googleapis.com https://api.mapbox.com https://cdn.tiny.cloud https://cdn.ckeditor.com https://cdn.quilljs.com https://cdn.mathjax.org https://polyfill.io https://cdn.ethers.io https://cdn.auth0.com https://cdn.plyr.io https://vjs.zencdn.net https://cdn.dashjs.org https://cdn.bootcdn.net https://lib.baomitu.com https://cdn.staticfile.net https://cdn.bootcss.com https://cdn.npmmirror.com https://registry.npmmirror.com https://lf3-cdn-tos.bytecdntp.com;  worker-src 'self' blob:; child-src 'self' blob:;frame-src 'self' localfile: blob: data:;"
+			content="
+				script-src 'self' 'unsafe-inline' 'unsafe-eval'
+					https://cdn.amplitude.com
+					https://cdnjs.cloudflare.com
+					https://cdn.jsdelivr.net
+					https://unpkg.com
+					https://ajax.googleapis.com
+					https://raw.githubusercontent.com
+					https://code.jquery.com
+					https://stackpath.bootstrapcdn.com
+					https://cdn.tailwindcss.com
+					https://cdn.plot.ly
+					https://d3js.org
+					https://cdn.datatables.net
+					https://cdn.chart.js
+					https://cdn.canvasjs.com
+					https://cdn.amcharts.com
+					https://threejs.org
+					https://pixijs.download
+					https://cdn.babylonjs.com
+					https://aframe.io
+					https://cesium.com
+					https://cdn.lottiefiles.com
+					https://cdn.socket.io
+					https://cdn.firebase.com
+					https://maps.googleapis.com
+					https://api.mapbox.com
+					https://cdn.tiny.cloud
+					https://cdn.ckeditor.com
+					https://cdn.quilljs.com
+					https://cdn.mathjax.org
+					https://polyfill.io
+					https://cdn.ethers.io
+					https://cdn.auth0.com
+					https://cdn.plyr.io
+					https://vjs.zencdn.net
+					https://cdn.dashjs.org
+					https://cdn.bootcdn.net
+					https://lib.baomitu.com
+					https://cdn.staticfile.net
+					https://cdn.bootcss.com
+					https://cdn.npmmirror.com
+					https://registry.npmmirror.com
+					https://lf3-cdn-tos.bytecdntp.com;
+				worker-src 'self' blob:;
+				child-src 'self' blob:;
+				frame-src 'self' localfile: blob: data:;
+			"
 		/>
 		<script src="https://cdn.amplitude.com/libs/analytics-browser-2.11.1-min.js.gz"></script><script src="https://cdn.amplitude.com/libs/plugin-session-replay-browser-1.8.0-min.js.gz"></script><script>window.amplitude.add(window.sessionReplay.plugin({sampleRate: 1}));window.amplitude.init('87ce6adbb14b24ffe1703d18bf405e40', {"autocapture":{"elementInteractions":true}});</script>
 		<title>Eigent</title>
--- a/src/components/Folder/index.tsx
+++ b/src/components/Folder/index.tsx
@ -1034,11 +1034,13 @@ function HtmlRenderer({
            height: `${10000 / zoom}%`,
          }}
        >
+          {/* allow-same-origin: lets agent-generated HTML access localStorage/sessionStorage (e.g. saving game state).
+               Security is maintained via CSP allowlist in index.html which restricts script sources. */}
          <iframe
            ref={iframeRef}
            srcDoc={processedHtml}
            className="bg-white h-full w-full border-0"
-            sandbox="allow-scripts allow-forms"
+            sandbox="allow-scripts allow-forms allow-same-origin"
            title={selectedFile.name}
            tabIndex={0}
            onLoad={() => iframeRef.current?.focus()}