W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Programmatically declaring the CSP of an iframe

From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Mon, 20 Jul 2015 15:37:14 -0700
Message-ID: <CAOTq_pvVWpEQduFeC4iB3SpbmOFFazsKRypvOcq-E2Cb-MPutQ@mail.gmail.com>
To: public-webappsec@w3.org
Hi All,

I'm writing an HTML5-based email client, and I'd like to be able to render
emails in iframes safely. In particular I'd like to be able to specify the
Content-Security-Policy that should apply to the iframe even though I'm not
loading its content over HTTP, so I can't use a header.

Right now, I'm using DOMPurify [1] to remove javascript and rewrite URLs
via a secure proxy, but I'd like a belt and braces approach where the
browser can enforce these restrictions too. Interestingly the return value
of DOMPurify is a document object, so I'm filling the iframe by assigning
to .contentDocument directly.

I looked into using the sandbox attribute [2], but it suffered from two
drawbacks:
a) I can't add event listeners to the contents of the iframe, which is
necessary for keyboard shortcuts. [3]
b) Tabs opened by the iframe inherit the security policy, so it breaks
javascript on pages that emails link to. [4]

So now I'm inserting a Content-Security-Policy using a meta tag on the
purified document.
I would love to be able to specify the Content-Security-Policy from the
parent document not the loaded document, as that feels cleaner. It would
also hopefully let me add CSP reports, and other features that are not
supported by meta-tag CSP policies.

Conrad

1. https://github.com/cure53/DOMPurify
2. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
3. https://code.google.com/p/chromium/issues/detail?id=489431
4. https://code.google.com/p/chromium/issues/detail?id=492309
Received on Monday, 20 July 2015 22:38:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC