Theia "mini-browser" exploit

The mini-browser extension in Theia displays html files into an iframe. But currently we have the following settings:

• The iframe is sandboxed as "allow-same-origin allow-scripts".
• The html file to preview is served via a Theia endpoint from the same origin.

These two things combined mean that when a file is previewed in Theia using the mini-browser extension, a malicious html file can connect to the Theia backend via websocket and do pretty much anything.