added same origin for interstitial web popup

[AshwinSaxena01]

Changes

Describe the key changes in this PR with the Jira Issue reference

Changes to Public Facing API if any

Please list the impact on the public facing API if any

How Has This Been Tested?

Describe the testing approach and any relevant configurations (e.g., environment, platform)

Checklist

• Code compiles without errors
• Version Bump added to package.json & CHANGELOG.md
• All tests pass
• Build process is successful
• Documentation has been updated (if needed)
• Automation tests are passing

Link to Deployed SDK

Use these url for testing :

1. https://static.wizrocket.com/staging/<CURRENT_BRANCH_NAME>/js/clevertap.min.js
2. https://static.wizrocket.com/staging/<CURRENT_BRANCH_NAME>/js/sw_webpush.min.js

How to trigger Automations

Just add a empty commit after all your changes are done in the PR with the command

 git commit --allow-empty -m "[run-test] Testing Automation"

This will trigger the automation suite

---

Note

Expands iframe sandbox permissions for previewed interstitials using the custom editor.

• Updates clevertap.js to add allow-same-origin to iframe.sandbox when display.preview and display['custom-editor'] are enabled, enabling same-origin access in the preview context

^{Written by Cursor Bugbot for commit f5039a9. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Bug Fixes
  • Extended iframe sandbox permissions for campaign previews with custom editors to allow same-origin access in exit-intent and template rendering scenarios, improving sandbox capabilities and compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[francispereira]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

The changes extend iframe sandbox permissions by adding 'allow-same-origin' to sandbox attributes in preview scenarios with custom-editor enabled. Two files are updated with identical sandbox attribute modifications affecting iframe security policies.

Changes

Cohort / File(s)

Summary

Iframe Sandbox Policy Updates clevertap.js, src/util/campaignHouseKeeping/commonCampaignUtils.js

Added 'allow-same-origin' permission to iframe sandbox attribute string when display.preview is truthy and display['custom-editor'] is present. Changes extend sandbox from 'allow-scripts allow-popups allow-popups-to-escape-sandbox' to include same-origin access. Applied in two rendering contexts: preview initialization in clevertap.js and exit-intent/intentPreview template creation in commonCampaignUtils.js. No control flow modifications.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• singhkunal2050

Poem

🐰 A sandbox grows wider, more doors to explore,
Allow-same-origin unlocks what was before,
Two files align in harmony sweet,
Security and preview now complete! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is a template with mostly unfilled placeholders; key sections lack actual content about changes, API impact, and testing.	Fill in the 'Changes' section with the Jira issue reference and concrete details (e.g., ONC-173: added allow-same-origin to iframe sandbox for preview custom-editor). Describe testing approach and verify all checklist items are addressed before merging.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'added same origin for interstitial web popup' accurately describes the main change: adding same-origin sandbox permission to iframes for preview interstitials in the custom editor.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Iframe sandbox bypass allows script access to parent

High Severity

Adding allow-same-origin to the iframe sandbox that already has allow-scripts effectively defeats sandbox protection. This combination allows sandboxed content to access the parent page's DOM, cookies, localStorage, and even remove the sandbox attribute entirely. Since the iframe loads HTML content from targetingMsgJson.msgContent.html (campaign content that may be remotely sourced), any compromise of that content could lead to full access to the parent page. MDN explicitly warns against using allow-scripts and allow-same-origin together when the embedded document shares the same origin as the embedding page.