Skip to content

fix: allow cross-origin-isolation for the run endpoint#39

Merged
SamVerschueren merged 2 commits into
mainfrom
fix/cross-origin-isolation/run-endpoint
Jul 1, 2026
Merged

fix: allow cross-origin-isolation for the run endpoint#39
SamVerschueren merged 2 commits into
mainfrom
fix/cross-origin-isolation/run-endpoint

Conversation

@SamVerschueren

Copy link
Copy Markdown
Contributor

After digging into the issues with cross-origin-isolation and the run endpoint, I found out that the reason the run endpoint was not properly getting cross origin isolation because the iframe we created does not have a src property. This means that it renders this

<iframe allow="cross-origin-isolation"></iframe>

That iframe then posts to the /run endpoint. The problem is that the cross-origin-isolation is now allowing about:blank to be cross-origin isolated, not stackblitz.com. So in order to fix this, we have to set allow="cross-origin-isolation https://stackblitz.com" explicitly.

This PR also adds all the entire browser allow-list.

@bolt-new-by-stackblitz

Copy link
Copy Markdown

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

Nemikolh
Nemikolh previously approved these changes Jul 1, 2026

@Nemikolh Nemikolh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice fix!!

@SamVerschueren SamVerschueren merged commit 8f83d74 into main Jul 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants