Re: [csswg-drafts] [css-sizing] Auto-resize iframes based on content (#1771) from Felix Becker via GitHub on 2021-04-07 (public-css-archive@w3.org from April 2021)

From: Felix Becker via GitHub <sysbot+gh@w3.org>
Date: Wed, 07 Apr 2021 10:39:42 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-814806851-1617791980-sysbot+gh@w3.org>

Here's a popular example, to support my point that I think it would overall _increase_ security of the web to make this possible:

GitHub recommends embedded _Gists_ into other websites using a `<script>` tag.

![image](https://user-images.githubusercontent.com/10532611/113852044-662f4b80-979c-11eb-9bb1-4b6f8c54b95e.png)

If we look at what that script does, e.g. https://gist.github.com/olafurpg/94e0e735ceda0a355fa7e226c1431466.js, we see that all it does is use `document.write()` to add a CSS styleheet and output HTML with the Gist.
There is no reason this would have to need a `<script>` tag, other than that if embedding worked through an `<iframe>`, there would be no easy way for GitHub to resize it based on the Gist size (not without telling embedders to add JS to their page that communicates through `postMessage()`, which is too much to ask for). So instead, they go with a simple `<script>` tag.

What does this mean for security? That script can execute any JS in the context of the page and has full control of the DOM. Gists are user content, and that user content is escaped by the GitHub backend and put into the string passed to `document.write()`. If there is _any_ bug in that escaping logic, a malicious user could craft a Gist that doesn't escape properly and injects arbitrary JS into any page embedding the Gist. And if you get access to someone's GitHub account, you can change Gists that are already embedded somewhere (e.g. it's the most common method to embed code snippets in Medium blog posts).

I think this is a huge security flaw "forced" by the shortcomings of the platform atm.

Now imagine if GitHub could simply use `<iframe>`s. They would be sandboxed and the JS could get compromised as much as you want - it could never affect the parent page (besides growing in size, which is easy to control with CSS from the outside, even with a `style` tag on the snippet that GitHub would recommend).

--
GitHub Notification of comment by felixfbecker
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1771#issuecomment-814806851 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 7 April 2021 10:39:44 UTC