- From: Conrad Irwin <conrad.irwin@gmail.com>
- Date: Mon, 20 Jul 2015 15:37:14 -0700
- To: public-webappsec@w3.org
- Message-ID: <CAOTq_pvVWpEQduFeC4iB3SpbmOFFazsKRypvOcq-E2Cb-MPutQ@mail.gmail.com>
Hi All, I'm writing an HTML5-based email client, and I'd like to be able to render emails in iframes safely. In particular I'd like to be able to specify the Content-Security-Policy that should apply to the iframe even though I'm not loading its content over HTTP, so I can't use a header. Right now, I'm using DOMPurify [1] to remove javascript and rewrite URLs via a secure proxy, but I'd like a belt and braces approach where the browser can enforce these restrictions too. Interestingly the return value of DOMPurify is a document object, so I'm filling the iframe by assigning to .contentDocument directly. I looked into using the sandbox attribute [2], but it suffered from two drawbacks: a) I can't add event listeners to the contents of the iframe, which is necessary for keyboard shortcuts. [3] b) Tabs opened by the iframe inherit the security policy, so it breaks javascript on pages that emails link to. [4] So now I'm inserting a Content-Security-Policy using a meta tag on the purified document. I would love to be able to specify the Content-Security-Policy from the parent document not the loaded document, as that feels cleaner. It would also hopefully let me add CSP reports, and other features that are not supported by meta-tag CSP policies. Conrad 1. https://github.com/cure53/DOMPurify 2. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/ 3. https://code.google.com/p/chromium/issues/detail?id=489431 4. https://code.google.com/p/chromium/issues/detail?id=492309
Received on Monday, 20 July 2015 22:38:07 UTC