Refining the sandbox sample to reflect modern standards would be beneficial for developers learning from this repo. Noticed that the api-samples/sandbox directory still relies on Handlebars 1.0.0-beta.6, which dates back to 2012. Using such an ancient version in a current sample might lead developers to inadvertently include insecure or unmaintained dependencies in their own extensions.
Tightening the communication logic by replacing postMessage("*") with an explicit origin check would also set a better security precedent. Even though the sandbox environment provides isolation, showcasing a restricted origin check helps prevent developers from copy-pasting wildcard patterns into non-sandboxed contexts.
Would you be open to a PR that updates the library to a stable version and implements more restrictive messaging? Just wanted to check if this is something you'd like to see updated to keep the samples aligned with current best practices.
Refining the sandbox sample to reflect modern standards would be beneficial for developers learning from this repo. Noticed that the
api-samples/sandboxdirectory still relies on Handlebars 1.0.0-beta.6, which dates back to 2012. Using such an ancient version in a current sample might lead developers to inadvertently include insecure or unmaintained dependencies in their own extensions.Tightening the communication logic by replacing
postMessage("*")with an explicit origin check would also set a better security precedent. Even though the sandbox environment provides isolation, showcasing a restricted origin check helps prevent developers from copy-pasting wildcard patterns into non-sandboxed contexts.Would you be open to a PR that updates the library to a stable version and implements more restrictive messaging? Just wanted to check if this is something you'd like to see updated to keep the samples aligned with current best practices.