New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sandbox policy to <iframe> tags #2089

Open
danehrlich1 opened this Issue Jan 1, 2019 · 1 comment

Comments

Projects
None yet
1 participant
@danehrlich1
Copy link
Member

danehrlich1 commented Jan 1, 2019

A big way to improve the security of iframes is by using the sandbox policy. Example:

https://html.spec.whatwg.org/multipage/origin.html#sandboxed-modals-flag
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

<iframe sandbox="allow-forms allow-top-navigation allow-scripts">

sandbox
Applies extra restrictions to the content in the frame. The value of the attribute can either be empty to apply all restrictions, or space-separated tokens to lift particular restrictions:
allow-forms: Allows the resource to submit forms. If this keyword is not used, form submission is blocked.
allow-modals: Lets the resource open modal windows.
allow-orientation-lock: Lets the resource lock the screen orientation.
allow-pointer-lock: Lets the resource use the Pointer Lock API.
allow-popups: Allows popups (such as window.open(), target="_blank", or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
allow-popups-to-escape-sandbox: Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
allow-presentation: Lets the resource start a presentation session.
allow-same-origin: If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy.
allow-scripts: Lets the resource run scripts (but not create popup windows).
allow-storage-access-by-user-activation : Lets the resource request access to the parent's storage capabilities with the Storage Access API.
allow-top-navigation: Lets the resource navigate the top-level browsing context (the one named _top).
allow-top-navigation-by-user-activation: Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 1, 2019

This issue will require some testing.

Most likely all our iframes can run fine with allow-forms, allow-scripts OR allow-same-origin, and also maybe allow-top-navigation and allow-popups-escape-sandbox

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment