If you apply the sandbox attribute to the iframes it should be ok. It allows fine grained control of what the iframe is allowed to do. Scripts, navigation, popups, etc. are forbidden except explicitly allowed.
If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.
Good point. But the sandbox attribute is around 90% [1] of browsers. The number of browsers which don't support it and don't run javascript may be too low to make supporting them practical, but YMMV.
Assuming you're talking about `sandbox`, I'd be wary about that.
If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.
This is why I think per-site security settings in the browser are a good thing. Regardless of whether it's in an iframe or not, if I haven't allowed some site to run scripts/use cookies/etc., it won't.
Opera (before they switched to WebKit/Blink) has per-site settings. IE has security zones (not per-site, but only a trusted/untrusted grouping.) Firefox can do it with extensions like NoScript, and I'm not familiar enough with Chrome or anything WebKit/Blink-based to know whether it can be done.
Would it be possible to constantly scan the DOM for new iframes and add the attribute with JS? Seems like there might be a small window of opportunity though for bad things to happen, if it would even work.
14 comments
[ 2.8 ms ] story [ 32.8 ms ] threadUserify just removed all third party inclusions except CDN from the app itself. I wish more companies would do this.
What's the point of strong TLS if you're potentially leaking every click and keystroke to a third party?
Use Privacy Badger where you can: https://www.eff.org/privacybadger
If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.
[1] http://caniuse.com/#feat=iframe-sandbox
And I'd be one of those users who would be cut out by JS requirements. Just so you know, that number is not zero.
JS is nowhere near as secure as it is often toted as being. You don't want to find yourself being host to a zero-day attack.
If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if...