Home-Assistant/frontend
1
0
Fork 0
mirror of https://github.com/home-assistant/frontend.git synced 2026-05-24 17:19:17 +01:00
Code Activity
20,635 Commits 423 Branches 810 Tags
7dbd6ae5a27770fae44231ffc41268684eb7ff46
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Pascal Vizeli 7dbd6ae5a2 Add-on iframe: delegate microphone + camera Permissions Policy (#52068) 
* Add-on iframe: delegate microphone + camera Permissions Policy

The add-on ingress iframe in ``ha-panel-app.ts`` ships without an
``allow=`` attribute, so the Permissions Policy default of *deny*
applies for ``microphone`` and ``camera`` on the cross-origin
iframe. An add-on that wants to call ``getUserMedia`` — voice
notes, dictation, video calls, photo capture — fails silently with
``NotAllowedError`` before the browser even surfaces the permission
prompt.

The failure is most visible on the Android Companion app, where
there's no "open in a new tab" escape: the user presses the mic
button and nothing happens, no toast, no logs.

Delegate ``microphone``, ``camera``, and ``clipboard-write`` to the
add-on iframe. Add-ons are first-party software the user explicitly
installs, and Chrome's runtime permission prompt still gates the
hardware access — the ``allow=`` attribute just lets the iframe
*request* the prompt instead of being blocked at the policy layer.

``clipboard-write`` is bundled in because the next-most-frequent
silent-fail in add-on land is ``navigator.clipboard.writeText`` for
"copy link" / "copy code" affordances, blocked by the same
mechanism.

* Sandbox add-on ingress iframe without allow-same-origin

Split IFRAME_SANDBOX into two constants: IFRAME_SANDBOX (without
allow-same-origin) for add-on ingress iframes that need origin
isolation, and IFRAME_SANDBOX_SAME_ORIGIN for external iframes
that need same-origin access.

This ensures add-on iframes can't inherit camera/microphone
permissions already granted to the Home Assistant origin, and
prevents same-origin iframes from removing their own sandbox.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Paulus Schoutsen <balloob@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-22 19:31:56 +02:00
.devcontainer
Fixup dev container (#29376)
2026-02-04 08:33:39 +02:00
.github
Bump actions/labeler from 6.0.1 to 6.1.0 (#52077)
2026-05-17 08:53:19 +02:00
.husky
.vscode
Remove supervisor build (#29132)
2026-01-22 13:30:33 +01:00
.yarn
Deduplicate workbox by updating patch (#51919)
2026-05-08 08:47:25 +03:00
build-scripts
Create third party license file during production build, add CI (#30360)
2026-05-13 11:28:22 +02:00
cast
Fix errors loading the demo site (#51695)
2026-04-29 12:04:51 +01:00
demo
Fix demo instance mock recorder data generation (#51950)
2026-05-10 10:18:44 +02:00
docs
gallery
Migrate gallery drawer to ha-drawer and drop mwc-drawer dependency (#52031)
2026-05-14 15:52:24 +02:00
landing-page
Redesign automation row indicators (#51737)
2026-04-29 12:04:27 +02:00
public
Add automation behavior selector (#30322)
2026-04-29 16:12:17 +02:00
script
Create third party license file during production build, add CI (#30360)
2026-05-13 11:28:22 +02:00
src
Add-on iframe: delegate microphone + camera Permissions Policy (#52068)
2026-05-22 19:31:56 +02:00
test
Add entity-first card picker for dashboard (#51651)
2026-05-21 15:01:10 +02:00
.browserslistrc
.gitattributes
.gitignore
Ignore local opencode directory (#51504)
2026-04-10 12:44:48 +02:00
.gitmodules
.nvmrc
Update Node.js to v24.16.0 (#52140)
2026-05-21 17:03:13 +02:00
.prettierignore
.yarnrc.yml
Create third party license file during production build, add CI (#30360)
2026-05-13 11:28:22 +02:00
AGENTS.md
Update LLM instructions to recent codebase changes (#28017)
2025-11-20 17:59:56 +00:00
CLA.md
CLAUDE.md
Add initial instructions file for GitHub Copilot and Claude Code (#25967)
2025-06-27 18:06:23 +02:00
CODE_OF_CONDUCT.md
CODEOWNERS
Revert "Add Mobile team and design has codeowner of the theme colors" (#26432)
2025-08-07 15:06:41 +02:00
eslint.config.mjs
Drop eslint-config-airbnb-base and cherry-pick rules (#51627)
2026-04-25 14:16:53 +03:00
gulpfile.js
LICENSE.md
lint-staged.config.js
Update eslint to v10.1.0 (#51352)
2026-04-07 08:33:58 +03:00
MANIFEST.in
netlify.toml
Remove YARN_VERSION from netlify.toml (inherit packageManager) (#52101)
2026-05-19 13:26:33 +02:00
package.json
Update tsparticles to v4.0.5 (#52162)
2026-05-22 18:17:04 +03:00
prettier.config.js
Prettier one line format in style .globals.ts files (#26991)
2025-09-10 14:54:34 +02:00
pyproject.toml
Bumped version to 20260429.0
2026-04-29 16:17:10 +02:00
README.md
Remove supervisor build (#29132)
2026-01-22 13:30:33 +01:00
renovate.json
Migrate Renovate config (#52105)
2026-05-19 14:07:06 +00:00
rspack.config.cjs
tsconfig.json
Update formatjs monorepo (#51601)
2026-04-20 06:07:59 +00:00
yarn.lock
Update tsparticles to v4.0.5 (#52162)
2026-05-22 18:17:04 +03:00

README.md

Home Assistant Frontend

This is the repository for the official Home Assistant frontend.

Screenshot of the frontend

Development

  • Initial setup: script/setup
  • Development: Instructions
  • Production build: script/build_frontend
  • Gallery: cd gallery && script/develop_gallery

Frontend development

Classic environment

A complete guide can be found at the following link. It describes a short guide for the build of project.

License

Home Assistant is open-source and Apache 2 licensed. Feel free to browse the repository, learn and reuse parts in your own projects.

We use BrowserStack to test Home Assistant on a large variety of devices.

Home Assistant - A project from the Open Home Foundation

View Git Blame Copy Permalink
S
Description
Frontend for Home Assistant
https://home-assistant.io
frontendhacktoberfesthome-assistanthome-automationlit-elementpolymerwebcomponents
Readme 377 MiB
Languages
TypeScript 98.8%
JavaScript 1.1%