Could you help me understand Chrome implementation of HTML5 iframe sandbox attributes allow-same-origin and allow-top-navigation?
First question:
For example when i test allow-same-origin I do:
<iframe id='frm' src="file.html" sandbox="allow-same-origin"></iframe>
...
oIFrame = document.getElementById('frm');
var oDoc = (oIFrame.contentWindow || oIFrame.contentDocument);
if (oDoc.document) {
oDoc = oDoc.document;
oDoc.getElementById('foo').innerText = 'Hello man!';
...
Content of file.html:
...
<div id="foo">Hello</div>
...
alert(document.cookie);
...
and that's work only when i have additional attribute called allow-scripts so I have sandbox="allow-scripts allow-same-origin". Alone allow-same-origin doesnt't work and alone allow-scripts works great (scripts run but not API SOP related, its ok regard to HTML5 standard).
Standard of HTML5 says:
"First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content."
Am I misunderstand that or Chrome implementation is wrong?
Second question:
Standard of HTML5 says about allow-top-navigation:
"Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popup windows, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc."
My popups in Chrome aren't blocked. How could I block them? I use just allow-top-navigation.
Cheers,
David
For the first question:
It appears this means that the parent page can still have access to the DOM of the sandboxed <iframe>, whilst scripts in the <iframe> itself are blocked from execution; so it's only parent -> iframe but not iframe -> parent
Second question:
Maybe I'm misunderstanding, but as the name allow-top-navigation implies this will allow rather than block the framed site from using things like top.location.replace().
Related
I run a site that displays user-generated SVGs. They are untrusted, so they need to be sandboxed.
I currently embed these SVGs using <object> elements. (Unlike <img>, this allows loading external fonts. And unlike using an <iframe>, the <object> resizes to the SVG's content size. See this discussion.)
However, I don't know whether these SVGs are appropriately sandboxed when using <object>. The <iframe> permissions model is fairly clear, e.g. <iframe sandbox="allow-scripts"> disallows everything except running scripts. But what is the sandbox/permission model for <object> elements?
When I embed a page using <object>, what can that page do by default? E.g. what cookies can it access? Is it the same as an <iframe> without the sandbox attribute?
What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on foobarusercontent.com?
Does the <object> tag support an equivalent of the sandbox attribute? Is there another way to set permissions for an <object>?
What specifications describe the security model for <object>?
When I embed a page using <object>, what can that page do by default? E.g. what cookies can it access? Is it the same as an <iframe> without the sandbox attribute?
Yes (at least in some browsers). The object can access the cookies that are on the same origin that it is included from (but not the origin that includes it).
You can test this with a an svg file:
<svg xmlns="http://www.w3.org/2000/svg" width="400" height="110">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script>alert(document.cookie)</script>
</svg>
which you can include:
<script>document.cookie="test=test";</script>
<object data=./x.svg></object>
This will work in firefox (but not in Chrome, which apparently blocks JavaScript in objects; though I'm not sure if this behavior is documented, and I wouldn't rely on it for security purposes).
If the data attribute references a different domain, you won't be able to access the cookies of the embedding page (via top or parent; at least in firefox).
What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on foobarusercontent.com?
Yes, that would restrict the users actions to the origin foobarusercontent.com (which may or may not be appropriate for your use).
Does the <object> tag support an equivalent of the sandbox attribute? Is there another way to set permissions for an <object>?
Not as far as I am aware (see also mozilla, which doesn't list any relevant tags).
What specifications describe the security model for <object>?
I am unaware of a standard for this. Because of this, I would be very careful when embedding user-supplied data into an object. Hosting the data on a designated domain is a good idea. Parsing the data and filtering malicious (javascript-related) tags and attributes would also be good (if acceptable). Do ensure that it is acceptable that users can run JavaScript on that domain (ie no auth cookies; I also wouldn't allow uploading of .js files to the domain, as it would allow installation of serviceworkers, which would allow an attacker to log URLs users visit, and thus possibly disclose (private) files hosted on the domain).
Looking at the html specifications it doesn't seem like it's possible to set a sandbox attribute.
HTML Specifications
Here's some examples of how object might be used.
Examples
According to Mozilla, adding a sandbox attribute object was discussed at some point on whatwg's mailing list.
Reference to discussion mention
It seems the iframe tag has existed since May 2008 according to this. I've been looking through the mailing list from that date but I haven't found that discussion about object sandboxing yet.
iframe added discussion
Here's the mailing list thats been archived.
whatwg mailing list archive
I think for any further information you should consider chatting with WhatWG right here.
WhatWG Chat
So i just want to sandbox one html file in iframe and it works as long as there is just allow-scripts attribute, but as soon as I add allow-same-origin it stops to work because of this:
Notes about sandboxing:
When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Sandboxing is useless if the attacker can display content outside a sandboxed iframe — such as if the viewer opens the frame in a new tab. Such content should be also served from a separate origin to limit potential damage.
The sandbox attribute is unsupported in Internet Explorer 9 and earlier.From:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
Code of iframe:
<iframe src="index.html" sandbox='allow-scripts allow-same-origin'></frame>
I want allow-same-origin because I want to use same css in iframe as is in index.html.
Host the iframe on a different domain. This will keep the iframe secure when using sandbox="allow-scripts allow-same-origin".
But either way, CSS does NOT inherit in iframes. In fact, that's the whole purpose of iframes. And you can load the same CSS file in both pages, even without allow-same-origin set.
I've used iframe to show some pages.These pages may contain an adobe flash content like a video.
my problem is that the abode flash doesn't execute in an iframe within sandbox attribute.
my iframe tag :
<iframe sandbox="allow-popups allow-pointer-lock allow-same-origin allow-forms allow-scripts" src="http://example.com"></iframe>
Short answer: you can't execute flash plugin in a sandboxed iframe.
The spec : http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox
Plugins that cannot be secured are disabled in sandboxed browsing
contexts because they might not honor the restrictions imposed by the
sandbox (e.g. they might allow scripting even when scripting in the
sandbox is disabled). User agents should convey the danger of
overriding the sandbox to the user if an option to do so is provided.
For comprehensive information about sandbox attribute: http://blog.dareboost.com/en/2015/07/securing-iframe-sandbox-attribute/
I want to embed
http://www.yocast.tv/embed.php?s=dx123&width=1340&height=540&domain=cricketembed.com
in an iframe. However, that site produces too many popups. I want to put that in the iframe such that no popups happens. Is that possible... This is a third party domain and I have no control on it.
Add a sandbox attribute to the iframe. (Note: limited support).
<iframe ... sandbox="">
Leaving it as an empty string will disable most features, you can selectively add them using a space separated list of acceptable features. See the specification for available features.
You do not want to include allow-popups in that list. Firefox does not support allow-popups so you might not want to allow-scripts either.
Update: This question is no longer valid. See comment below.
YouTube embedding is done using iframes nowadays.
HTML5 introduces the seamless attribute, that not only should affect presentation, but make the integration with the host page tighter. (It should not be announced to screen readers as a separate document.)
HTML5 introduces the sandbox attribute, that restricts the iframe and thus improves security.
In a world where browser support for these 2 attributes is complete, will they benefit or in any way adversely affect the page, when embedding YouTube videos? (Yes, the last half of the question is primarily about seamless.)
I am thinking about recommending my students to always use these 2 attributes for YouTube videos and benefit automatically as browser support becomes available.
I'll focus on just discussing the sandbox attribute.
To play YouTube videos in a sandbox you need to do the following:
Add sandbox="allow-scripts allow-same-origin"
Add ?html5=1 to the video URL
A problem with #1 is that Flash will not be loaded; whether Flash is required depends on a few things, such as the end-user's browser, their YouTube settings or when a video is simply not available as an HTML5 video (this is worsened by #2).
Another (more serious) problem with #1 is that the combination of allow-scripts and allow-same-origin effectively removes any security benefit you would have otherwise enjoyed.
Conclusion
Forget about using the sandbox attribute for YouTube video embedding.
Further reading
HTML5 Sandbox and some notes
Error playing embedded youtube video in a sandboxed iframe
No, fullscreen does not seem to work with both attributes enabled, if you are in the HTML5 beta check an example here:
http://bcmoney-mobiletv.com/view/2133/monty-python-tax-sketch/
However, when I leave the HTML5 beta program it plays back in the standard YouTube Flash player, which ignores those iFrame attributes completely.
So, it really depends what your goals are. If you want added security and an experience that feels more like an in-page web video that is controlled by your page, go ahead and use those attributes, however, if you want to give the user a full range of controls and options, leave off sandbox and/or seamless.