Isolate inline message parts in individual, sandboxed iframes

[pabzm]

I'd like to change how Roundcube renders messages: Let's fetch message- and mime-part-headers as JSON, render their details from Javascript, and insert an iframe for each message part that is to be shown, which then fetches its rendered contents individually.

This would:

• mitigate redressing attacks (like #6450, but also overlaying Roundcube-buttons, injecting new buttons into the action bar etc.),
• block a lot of XSS and similar attacks (due to strict sandboxing),
• prevent any Javascript execution at all (due to strict sandboxing),
• reduce inline Javascript (which brings us one small step closer to enable stricter CSPs).

I know this sounds like a big change, but I built a simple proof-of-concept that doesn't even muddle up too much existing code, so I think it's doable (if you're curious: https://github.com/pabzm/roundcubemail/tree/message-render-json-iframe). It's still probably much work due to a lot of edge cases with "interesting" messages, but I'd like to tackle it.

Of course the edge case handling currently implemented in show.php would need to be moved, but that'd be good for testing anyway.

This is an itch that bugs me since quite a while, and I think it would be a huge step forward.

@roundcube/webmail-developers What do you think?

[alecpl]

I think it's harder than you think, not mentioning it's a big BC break. Performance wise also might be not great.

[pabzm]

I know it's ambitious, but it would solve or help so many issues. No scripting issues from HTML messages anymore! Way less room for redressing attacks! :)

I've come around to reduce the attempt to one-iframe-per-part, without loading-data-as-json, which is in branch https://github.com/pabzm/roundcubemail/tree/message-render-iframe and contains even less changes.

Performance wise also might be not great.

Why do you think so? Because more HTTP requests are necessary? I'd still consider the security advantage a win over that.

[pabzm]

@alecpl Which things would you expect to be the biggest problems? I made the iframed rendering work with HTML-emails, that contain remote objects, and with signed/encrypted emails, too. In both cases the necessary hints and buttons are displayed and are working, even though they are not rendered inside the iframe.