Reputation: 2511
Restrict or prevent iframe navigation
I have a top page which contains an iframe with untrusted content. I am hosting the untrusted content on a domain that I control, and can (in theory) make changes to it. Short of analyzing the source code with something like Google Caja, is there any way that I can prevent the untrusted content from navigating the frame itself to other URLs? (or ideally restrict it to the trusted domain)
Related, but not quite:
- Only addresses anchor tags, not navigation in general
- Lots and lots of webpages talking about sandbox with "allow-top-navigation". Doesn't help because I want to restrict navigation of the frame itself
Background: My goal is to allow untrusted content to run in the iframe and to pass some user data to it, but I don't want the untrusted content to turn around and send this data to a 3rd-party. (The content will be allowed instead to postMessage any results to an API exposed by the parent window.) Content Security Policy HTTP headers on the untrusted content allow me to restrict all manner of network requests except navigation.
Upvotes: 2
Views: 835
Answers (1)
Reputation: 2511
I randomly saw this new Content Security Policy option hinted at on MDN (with a little flask on it, so may still be experimental...)
navigation-to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Upvotes: 1
Related Questions
- Prevent IFrame Navigation
- prevent user from navigating inside Iframe
- Disable navigation on iframe outside HTML
- How to disable direct access to Iframe
- Is it possible to selectively limit an iframe's access to its parent document?
- preventing iframe security issue
- ensuring that iframed content cannot access parent via javascript
- How to forbid framing
- Navigation only in iframe
- Iframe Security Issues