-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sandboxed iframe #199
Comments
Instead of using the |
Thank you @tachibana-shin for drawing my attention to this. I did find what you refer to: https://developer.chrome.com/blog/removing-document-write
In this case we execute Note that This is a much simpler solution than having to manage and maintain a service worker for the output page. In addition, using a service worker will require injecting code that handles it in user code, which is something we should aim to avoid if we can. Anyway, regardless of the way we send the code, I think the main goal is to properly sandbox the iframe by keeping the page on a separate origin. |
I like the idea of removing |
We can make a polyfill for that, it's pretty easy |
|
hello,
Thanks for the great project. I used it as a base for Vue support on my project (LiveCodes - an open-source client-side code playground for 80+ frameworks/languages).
https://livecodes.io/?template=vue
I noticed that the result page of the repl is displayed in a sandboxed iframe. However, the code is sent to the iframe by setting
srcdoc
. This does not set a different origin for the iframe.For example, if I run this in the repl, it works!
If we are able to access the repl parent (embedding pages on user websites), then we can read cookies, localStorage and all sorts of bad things. I think this is a major security concern.
I suggest to set the
iframe.src
to a page on a different origin and then send the html usingpostMessage
.This is an example repo, where I added a simple webpage that can be set as
iframe.src
and would accept the HTML sent to it from its parent anddocument.write
s it to itself. I published that to npm so that it can be hosted (with versions) on CDNs. It can be used as this URL: https://unpkg.com/@live-codes/[email protected]/index.html.That was just an example. However, if you agree with that, I would be happy to send a PR for this change.
The text was updated successfully, but these errors were encountered: