Reputation: 11
Restrict allowed resources in HTML document or iframe element
I would like to allow uploading html files which might contain user created scripts that will be loaded using iframes. So naturally there's a lot of security concerns that need to be considered to protect anyone browsing the site.
If the uploaded files contain scripts that make requests for external resources I would like to block them.
I can think of 3 potential ways to accomplish this:
1) (Ideal) If it were possible to add some sort of rule on the iframe itself to block any data transfers with any server but my own.
2) Add some lines to the uploaded HTML files to restrict their own resources. I found that this might work in some browsers with a meta tag
http-equiv="Content-Security-Policy"
However this doesn't seem to work in Firefox.
3) Scan the uploaded files for any external requests. This is not a good solution though as people can probably always find a way to get around such filters.
Also, the "sandbox" attribute of iframes does not block external resources at all.
Upvotes: 1
Views: 1011
Answers (1)
Reputation: 83
CSP policies might help you if you want to control the loading of external resources loading. But to be honest, I'm not sure it is mature and works across all browsers
If you want to control script execution inside your iframe... iframe sandbox attribute (html5) is interesting, and do the job.
Upvotes: 1
Related Questions
- How to restrict who can iframe embed my web app?
- How to allow only whitelisted resources (scripts, pixels etc.) to run within a sandboxed iframe?
- Restrict or prevent iframe navigation
- Making an iframe readonly
- Is it possible to selectively limit an iframe's access to its parent document?
- Blocking Arbitrary Elements from Iframe
- preventing iframe security issue
- ensuring that iframed content cannot access parent via javascript
- How to forbid framing
- Only load HTML into an IFRAME