iframes for query responses can execute scripting

Maps4HTML / MapML.js

A custom <mapml-viewer> and <layer-> element suite

https://maps4html.org/MapML.js/

Other

58 stars 16 forks source link

iframes for query responses can execute scripting #284

Closed Malvoz closed 3 years ago

Malvoz commented 3 years ago

CSP Embedded Enforcement (defines the iframe csp attribute) isn't supported by all major browsers, so we fail to prevent scripts from executing in unsupporting browsers. Additionally, scripting is also executed in Chrome due to a bug where about:srcdoc fails to inherit the policy.

There are at least 2 ways to go about blocking scripts with wide support:

Prepend srcdoc with <meta http-equiv="content-security-policy" content="script-src 'none';">
sandbox the iframes

I think option 1 is more straight forward, and doesn't have any further implications other than blocking scripts, if that's what we want to do.

Malvoz commented 3 years ago

For clarity, I'm referring to:

https://github.com/Maps4HTML/Web-Map-Custom-Element/blob/ad3f1fd1f5498e0ae7b3e03c555899763142d2fb/src/mapml/handlers/QueryHandler.js#L155

https://github.com/Maps4HTML/Web-Map-Custom-Element/blob/ad3f1fd1f5498e0ae7b3e03c555899763142d2fb/src/mapml/handlers/QueryHandler.js#L170

ahmadayubi commented 3 years ago

Alright I'll implement option 1 in an upcoming PR related to issue #282

Malvoz commented 3 years ago

As a side note for option nr. 1, authors of the content inside the iframe can't loosen the policy (to re-enable scripting) by setting their own <meta> CSP, as multiple <meta> CSP policies can only be used to further strengthen an already defined policy (described in https://w3c.github.io/webappsec-csp/#multiple-policies). 👍🏼

Malvoz commented 3 years ago

FWIW option 1 (as opposed to option 2) does not block scripts from executing in nested iframes. It would probably be safer to go with option 2...