upvote

points

by simonw20 hours ago |
comments
upvoteby staticassertion1 hours ago|
next
[-]
iframe sandboxing is wildly underleveraged. I think it's because it doesn't work well with "modern" app development - you need the ability to slice bits and pieces out yourself.

I've been just using plain typescript/html and it's so easy to say "yeah all of that rendered content goes into an iframe", I've got all of d3 entirely sandboxed away with a strict CSP and no origin.

I do hope that iframe sandboxing grows some new primitives. It's still quite hacky - null origins suck and I want a virtual/sandbox origin primitive as well as better messaging primitives.

reply
upvoteby simonw25 minutes ago|
parent|
[-]
I think the reason it's under leveraged is that there's so little useful documentation about it - particularly about its support in different browsers.

For something like this that's security critical I'd really like to see each of the browser vendors publishing detailed, trustworthy documentation about their implementations.

The technology itself is very widely deployed due to banner ads, so it's at least thoroughly exercised.

reply
upvoteby rafram20 hours ago|
prev|
next
[-]
And any additional CSP directives can only narrow what's allowed. Also works with headers plus <meta> - <meta>s can restrict the CSP even more than what the headers specified, but they can't widen it.
reply
upvoteby philipallstar2 hours ago|
prev|
next
[-]
Wow - I had no idea. That's really useful, and probably much easier to implement by javascripters than something that might be set in nginx.
reply
upvoteby som2 hours ago|
prev|
next
[-]
I read this whole post silently mouthing a "CSP" mantra as each new vulnerability was discovered, years apart no less. Elated when I got to the revelation towards the end.

But for all my self righteous bluster the inline version was news to me. Hacker news. Awesome. Thank you.

reply
upvoteby amluto18 hours ago|
prev|
next
[-]
An idea I’ve been kicking around (which isn’t quite applicable to this use case, I think) is to aggressively restrict the Sec-Fetch- headers on user content. If a server is willing to serve up an untrustworthy SVG, it could refuse to serve it at all unless Sec-Fetch-Dest has the correct value, and ‘document’ and ‘iframe’ would not be correct values. This would make it more difficult to fool a user or their browser by, for example, linking to an SVG file, or using a less-secure mechanism like embed to load it.

This should be in addition to heavily restricting CSP on user content. (Hmm, surely all images should be served with the CSP header set.)

reply
upvoteby bawolff18 hours ago|
parent|
[-]
You can bypass the sec-fetch headers via service workers i think.

A better approach here would be to just serve svg with Content-security-policy: script-src 'none'; sandbox

reply
upvoteby amluto18 hours ago|
parent|
[-]
But you can't make a link to https://your.domain/my_phishing_page.svg work as a phishing page using service workers unless you've pretty thoroughly pwned the site already. (And you can constrain what gets to run as a service worker using Sec-Fetch-Dest!)

I suppose an actual exception is Content-Disposition. If you want the user to save a file, you need to serve it with dest == document as far as I know.

reply
upvoteby tracker120 hours ago|
prev|
next
[-]
Nice, favorited... thinking this could be useful for an email reader to support css, but not scripts.
reply
upvoteby arcfour14 hours ago|
parent|
[-]
Most extant email readers support such a limited subset of CSS that nobody is likely to send emails with anything beyond very basic CSS though, unless your reader gains a ton of traction I suppose.
reply
upvoteby recursive20 hours ago|
prev|
next
[-]
I did not know about `srcdoc`, but it looks like that's still vulnerable to injection by using a double quote and </iframe> to escape the sandbox. If this is constructed in a hygienic way using DOM manipulation, it seems like it could work, but it definitely seems possible to screw up.
reply
upvoteby rafram20 hours ago|
parent|
next
[-]
If you're constructing your unsandboxed parent document HTML using string concatenation, you might as well not use the sandboxed iframe at all. But presumably someone who bothers to sandbox untrusted content also knows about setAttribute(), or the srcdoc JS property.
reply
upvoteby simonw20 hours ago|
parent|
prev|
next
[-]
You can entity-encode the content in the srcdoc= attribute to robustly solve that problem, or populate it via the DOM.
reply
upvoteby tracker120 hours ago|
parent|
prev|
[-]
s/"/&quot;/g
reply
upvoteby jimmypk1 hours ago|
prev|
[-]
[dead]
reply