7

I want to embed user provided HTML code in my website. The code will be self-contained, and will contain script and style tags. I am planning to block all network calls from the the provided HTML code by using Content Security Policy headers. The code will only be able to access standard libraries like jquery and other standard resources (the same will be specified in the CSP). I want to restrict any communication between the iframe content and the parent domain.

My plan is to use an <iframe> to embed the content. The user will give an input, and then on clicking a button, an iframe will be rendered with the given input snippet. It will be rendered inline with other content of the page.

I am concerned about the effect of this on the security of my website.

  1. Can I make the origin of the iframe null? Or will I have to host my content on a separate domain so that SOP blocks all the network calls to the parent page?
  2. Will I be able to set up CSP for the iframe separately? If yes, can anyone suggest what all attributes the CSP should have?
  3. Can I take the input html and inject it directly to my iframe from the parent page?

If there are other alternatives which don't use iframe, which are those?

Improve this question

1 Answer 1

Reset to default
2

Can I make the origin of the iframe null? Or will I have to host my content on a separate domain so that SOP blocks all the network calls to the parent page?

You can make the origin of the iframe null if you'll use, for instance, a data:-Url. This will prevent cross-origin requests in modern browsers, but Content Security Policy of parent document will be inherited into iframe in all browsers.
In this case some old browsers (Firefox/WinXP) will spread CSP from the iframe to parent document too.

Will I be able to set up CSP for the iframe separately? If yes, can anyone suggest what all attributes the CSP should have?

You are able to set separate CSP for iframe only if it's loaded via network scheme (http:/https:) - it will be created isolated browsing context. If non-network schemes (data:, blob:, etc) iframe will inherit CSP of parent document.
In case of isolated browsing context you can use any "attributes the CSP" what you need for your specific case.
Pay attention to csp=, sandbox= attributes, these can be useful.

Can I take the input html and inject it directly to my iframe from the parent page?

This is contravert your statement: "I want to restrict any communication between the iframe content and the parent domain.".
Therefore all communications are possible via server only.

If there are other alternatives which don't use iframe, which are those?

Isolated browsing contexts can be created via <object>/<embed>, but these are not useful in your case.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for the answer. Can you tell how much security does using sandbox="allow-scripts" provide compared to a strict CSP policy?
Can I take the input html and inject it directly to my iframe from the parent page? By this I meant that I want to provide the src/srcdoc of the iframe from the parent. E.g. src="<h1>Hello</h1>".
CSP restricts sources from where scripts can be loaded. Sandbox restricts script possibilities. sandbox="allow-scripts" disallows alert(), confirm(), print(), prompt() and the beforeunload event since allow-modals flag is omitted. Also will be disallowed window.open(), target='_ blank', showModalDialog(), forms submit and a lot of other since according flags is not specified.
srcdoc= leads iframe to have same origin as parent page -> full access tp the parent page (non-isolated iframe). Isolation level of src= depend on using scheme. In case of 'data:'/'blob:', the CSP of parent page will act inside iframe too. In case of 'http:'/'https:' iframe will be totally isolated and can have own CSP (via meta tag or CSP HTTP header)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.