Closed kwiatekus closed 5 years ago
stale[bot]
commented
5 years ago This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
commented
5 years ago This issue has been automatically closed due to the lack of recent activity.
stale[bot]
commented
5 years ago This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
commented
5 years ago This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.
Description
A parent frame is holding several nested iframes (microfrontends). Communication between components is built on top of postMessage API. In regards to postMessage API, communication is only possible between microfrontends and parent frame. Custom routing logic is implemented to provide further capabilities as required.
IdTokens are being transferred to microfrontends in order for them to authenticate against backend services when required.
Risk
Malicious code in microfrontends could run with unnecesarily high privileges.
Suggested Mitigation
Evaluate the possibility of making microfrontend iframes sandboxed and define a restrictive by default policy allowing only strictly required privileges.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe