NDevTK
commented
1 year ago It should be secure by default :/
Reminds me of https://blog.mattbierner.com/vscode-webview-web-learnings/#sandbox Fix is https://github.com/microsoft/vscode/commit/c569182d081410046ee6e6938e960d1e83063612 which requires a server.
Hi, I originally tried to get in touch via #205 regarding a security concern.
I saw that the web origin issue is a known security issue, but I was wondering if developers should be more explicitly warned about it when deploying the cloud reader app.
Since many websites use readium-js-viewer without hardening it through e.g. iframe sandboxing, they become vulnerable to XSS attacks which can be very dangerous especially if the reader is deployed in an authenticated website, since scripts would be able to use the cookies/authentication tokens of an authenticated user.
Product