Re: Programmatically declaring the CSP of an iframe from chaals@yandex-team.ru on 2015-07-20 (public-webappsec@w3.org from July 2015)

From: <chaals@yandex-team.ru>
Date: Tue, 21 Jul 2015 00:55:22 +0200
To: Conrad Irwin <conrad.irwin@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <34551437432922@webcorp02h.yandex-team.ru>

(Not on the CSP issue directly)

You could assign accesskeys for keyboard shortcuts. Although they're not perfect, they have some advantages over javascript listeners as well as some drawbacks.

(One day, accesskeys should get better. Which is IMHO likely to make them a clear preferred option. But don't hold your breath while people think of them as an accessibility feature :S )

cheers

Chaals

21.07.2015, 00:39, "Conrad Irwin" <conrad.irwin@gmail.com>:
> Hi All,
>
> I'm writing an HTML5-based email client, and I'd like to be able to render emails in iframes safely. In particular I'd like to be able to specify the Content-Security-Policy that should apply to the iframe even though I'm not loading its content over HTTP, so I can't use a header.
>
> Right now, I'm using DOMPurify [1] to remove javascript and rewrite URLs via a secure proxy, but I'd like a belt and braces approach where the browser can enforce these restrictions too. Interestingly the return value of DOMPurify is a document object, so I'm filling the iframe by assigning to .contentDocument directly.
>
> I looked into using the sandbox attribute [2], but it suffered from two drawbacks:
> a) I can't add event listeners to the contents of the iframe, which is necessary for keyboard shortcuts. [3]
> b) Tabs opened by the iframe inherit the security policy, so it breaks javascript on pages that emails link to. [4]
>
> So now I'm inserting a Content-Security-Policy using a meta tag on the purified document.
> I would love to be able to specify the Content-Security-Policy from the parent document not the loaded document, as that feels cleaner. It would also hopefully let me add CSP reports, and other features that are not supported by meta-tag CSP policies.
>
> Conrad
>
> 1. https://github.com/cure53/DOMPurify
> 2. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
> 3. https://code.google.com/p/chromium/issues/detail?id=489431
> 4. https://code.google.com/p/chromium/issues/detail?id=492309

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Monday, 20 July 2015 22:55:55 UTC