Given an iframe with an empty sandbox attribute, the framed document will be fully sandboxed, subjecting it to the following restrictions: We saw a few of the possible sandboxing flags in the example above, let's now dig through the inner workings of the attribute in a little more detail. We've given the frame all the capabilities it requires, and the browser will helpfully deny it access to any of the privileges that we didn't explicitly grant it via the sandbox attribute's value. We can do so by adding a sandbox attribute to the iframe with the following value: For the Twitter widget, we've decided to enable JavaScript, popups, form submission, and 's cookies. We begin by removing all permissions possible, and then turn individual capabilities back on by adding specific flags to the sandbox's configuration. Sandboxing works on the basis of a whitelist. Since it doesn't need those privileges, let's remove them by sandboxing the frame's content. That's pretty much it the frame doesn't need to load any plugins, it doesn't need to navigate the top-level window, or any of a number of other bits of functionality. That interface needs access to Twitter's cookies in order to tie the tweet to the correct account, and needs the ability to submit the tweeting form. The HTML that's loaded into the frame executes a bit of JavaScript from Twitter's servers, and generates a popup populated with a tweeting interface when clicked. To figure out what we can lock down, let's carefully examine what capabilities the button requires. Twitter allows you to embed the button via an iframe with the following code: Twitter's "Tweet" button is a great example of functionality that can be more safely embedded on your site via a sandbox. We can instruct the browser to load a specific frame's content in a low-privilege environment, allowing only the subset of capabilities necessary to do whatever work needs doing. The sandbox attribute of the iframe element gives us just what we need to tighten the restrictions on framed content. The contained page still has a number of options for annoying or malicious behavior: autoplaying video, plugins, and popups are the tip of the iceberg. The separation isn't truly robust, however. The framed content won't have access to your page's DOM, or data you've stored locally, nor will it be able to draw to arbitrary positions on the page it's limited in scope to the frame's outline. Loading some untrusted component in an iframe provides a measure of separation between your application and the content you'd like to load. Iframe elements are the first step toward a good framework for such a solution. It simply won't have access to the functionality in the first place. The result is that we no longer have to blindly trust that some piece of embedded content won't take advantage of privileges it shouldn't be using. We're as secure as we can be if we follow the principle of least privilege, and block each and every feature that isn't directly relevant to functionality we'd like to use. If it doesn't require Flash, turning off plugin support shouldn't be a problem. If a widget doesn't need to pop up a new window, taking away access to window.open can't hurt. In essence, we're looking for a mechanism that will allow us to grant content we embed only the minimum level of capability necessary to do its job. There are times when it would be useful to say "I'm not sure I actually trust this source of content, but it's soooo pretty! Embed it please, Browser, but don't let it break my site." Least Privilege # This is a major step in the right direction, but it's worth noting that the protection that most CSP directives offer is binary: the resource is allowed, or it isn't. Each widget that you embed - every ad, every social media widget - is a potential attack vector for those with malicious intent:Ĭontent Security Policy (CSP) can mitigate the risks associated with both of these types of content by giving you the ability to whitelist specifically trusted sources of script and other content. Abstaining from either isn't really an option, but both increase the risk that Something Bad™ could happen on your site. Third-party widgets can drive engagement and play a critical role in the overall user experience, and user-generated content is sometimes even more important than a site's native content. Constructing a rich experience on today's web almost unavoidably involves embedding components and content over which you have no real control.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |