search

rowanmanning / audrey

A simple single-user and self-hosted feed reader
GNU General Public License v3.0
8 stars 3 forks source link

Make sure that iframe embeds are unable to track users #21

Open rowanmanning opened 3 years ago

rowanmanning commented 3 years ago

We need to make sure that iframe embeds are unable to track users. We maybe have two options, ideally both:

  1. We lock things down so that iframes don't get any information about the page. Pretty sure this isn't possible but worth checking out

  2. We add a site option to disable all iframe embeds, adding the blue "unrenderable embed" box

JakeChampion commented 3 years ago

We need to make sure that iframe embeds are unable to track users. We maybe have two options, ideally both:

1. We lock things down so that iframes don't get any information about the page. Pretty sure this isn't possible but worth checking out

We could disable sending referrers to the iframed resource via the referrerpolicy attribute referrerpolicy="no-referrer".

If we want to enforce stricter iframe controls we could use a feature policy via the iframe allow attribute which is supported in Safari and Chrome (and Firefox behind a configuration flag). For example we could stop the iframe from having webcam and microphone access allow="camera 'none'; microphone 'none'".

rowanmanning commented 3 years ago

That's a good idea 👍 thanks!