chore: add safety comment for allow-same-origin sandbox flag

GeneralJerel · GeneralJerel · commit d4f4ea60b766 · 2026-03-25T11:52:22.000-07:00
References issue #3 — allow-same-origin is required for import maps in srcdoc iframes but weakens the sandbox. Document the tradeoff.
diff --git a/apps/app/src/components/generative-ui/widget-renderer.tsx b/apps/app/src/components/generative-ui/widget-renderer.tsx
@@ -700,6 +700,9 @@ export function WidgetRenderer({ title, description, html }: WidgetRendererProps
             content streamed via postMessage for progressive rendering. */}
         <iframe
           ref={iframeRef}
+          // allow-same-origin is required for import maps to work in srcdoc iframes.
+          // Safe here because no auth/session data is exposed client-side.
+          // See: https://github.com/CopilotKit/OpenGenerativeUI/issues/3
           sandbox="allow-scripts allow-same-origin"
           className="w-full border-0"
           onLoad={() => setLoaded(true)}
