Sandboxing navigator iFrames

[chocolatkey]

The iframe elements used to show reflowable and FXL content can be sandboxed using various attributes described here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe. This can provide security enhancements and protect from malicious EPUBs, especially in a situation where content is user generated.

[danielweck]

FYI, possibly useful references:

• https://github.com/DistriNet/evil-epubs
• https://github.com/johnfactotum/epub-test

[danielweck]

the above links are sufficient, but many years ago I wrote a similar EPUB test book to check for window.top and window.parent security breaches in non-sandboxed iframes. I later ported it to the official EPUB test suite (in a branch):

https://github.com/IDPF/epub-testsuite/blob/feature%2FRS_integrity/content%2F30%2Fepub30-test-0160%2FEPUB%2Fxhtml%2Fsecurity-001.xhtml

window.parent.document.body.innerText = “HACKED!”;

window.top.document.getElementById("ID").innerHTML = “ Click here ”;

it's been a while since I last looked into this, but there was this breach method as well:

window.frameElement.ownerDocument.defaultView.location = “http://hack.me”;