Reputation: 74
How to used SharedArrayBuffer in iframe without iframe unsandboxing itself
I want to allow a sandboxed iframe to use SharedArrayBuffer with web workers created by the iframe. To use SharedArrayBuffer I have to set the following headers
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
However, if I set those headers then the iframe refuses to load and chrome throws a warning stating
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
How can I allow the iframe to use SharedArrayBuffer without allowing the iframe to unsandbox itself?
The answer here SharedArrayBuffer in an Iframe suggests
adding
allow-scriptsandallow-same-origintokens in the iframe's sandbox attribute
but that's exactly what chrome is telling me not to do.
Also I have control over the top level webpage and iframe's server, but the iframe is a sandbox that runs user provided code so I must assume that it will run malicious code which is why it's important that it can't unsandbox itself as the top level domain contains sensitive information such as the user's authentication token.
If it matters in the sandbox iframe I have Content-Security-Policy set to default-src data: blob: 'self' 'unsafe-inline' 'unsafe-eval' *.kastatic.org *.kasandbox.or cdn.jsdelivr.net;
Upvotes: 1
Views: 183
Answers (1)
Reputation: 15935
I've received the warning
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
on Google Chrome when I use following Content-Security-Policy fragment of the host document:
Content-Security-Policy: ... sandbox allow-downloads allow-popups allow-scripts allow-same-origin allow-forms allow-modals allow-popups-to-escape-sandbox allow-presentation allow-top-navigation-by-user-activation;
And I don't even need to use and <iframe> element to get the warning to JS console! As such, I think there's something broken in the test that emits this warning.
The intent is to allow <iframe> elements in user generated content loaded from different origin into the iframe but newer allow allow-top-navigation. Obviously we don't want content in <iframe> to be allow to lift these restrictions so if you cannot modify host document HTTP headers, you cannot break this – assuming there are no security vulnerabilities in the browser itself.
Upvotes: 1
Related Questions
- How do I redirect to another webpage?
- How do I return the response from an asynchronous call?
- How can I remove a specific item from an array in JavaScript?
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- Which equals operator (== vs ===) should be used in JavaScript comparisons?
- How do I remove a property from a JavaScript object?
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- How do I check if an element is hidden in jQuery?
- How do JavaScript closures work?
- How to check whether a string contains a substring in JavaScript?