Background
We've identified a critical defect in the web popup's custom HTML feature, allowing malicious script injection. To mitigate this risk, we've introduced iframe sandboxing for enhanced security against cross-site scripting (XSS) vulnerabilities.
Implementation
To address the risk of cross-site scripting (XSS) vulnerabilities, we've implemented iframe sandboxing for enhanced security
Testing Strategy
We've extensively tested the solution across various custom-html web popups, examining notification viewing and clicking events, as well as CleverTap actions such as 'event.push,' 'profile.push,' and 'onUserLogin.push.' Additionally, we're using a dashboard flag to distinguish between old and new campaigns, applying the fix solely to new ones, while ensuring it doesn't interfere with form-based templates.
Impact Areas
The change will have a big impact because we're sandboxing the iframe. This might cause problems for features that rely on the iframe talking to the main window. Before, users would send events or update profiles using 'window.parent' commands. Now, in new campaigns, they'll need to remove 'window.parent' from these commands because of the sandboxing. For example, they'll switch from 'window.parent.clevertap.event.push(eventName)' to just 'clevertap.event.push(eventName).' This makes sure everything still works with the sandboxed iframe
JIRA Issue: WEB-2516
Background We've identified a critical defect in the web popup's custom HTML feature, allowing malicious script injection. To mitigate this risk, we've introduced iframe sandboxing for enhanced security against cross-site scripting (XSS) vulnerabilities.
Implementation To address the risk of cross-site scripting (XSS) vulnerabilities, we've implemented iframe sandboxing for enhanced security
Testing Strategy We've extensively tested the solution across various custom-html web popups, examining notification viewing and clicking events, as well as CleverTap actions such as 'event.push,' 'profile.push,' and 'onUserLogin.push.' Additionally, we're using a dashboard flag to distinguish between old and new campaigns, applying the fix solely to new ones, while ensuring it doesn't interfere with form-based templates.
Impact Areas The change will have a big impact because we're sandboxing the iframe. This might cause problems for features that rely on the iframe talking to the main window. Before, users would send events or update profiles using 'window.parent' commands. Now, in new campaigns, they'll need to remove 'window.parent' from these commands because of the sandboxing. For example, they'll switch from 'window.parent.clevertap.event.push(eventName)' to just 'clevertap.event.push(eventName).' This makes sure everything still works with the sandboxed iframe