Open rowanmanning opened 3 years ago
We need to make sure that iframe embeds are unable to track users. We maybe have two options, ideally both:
1. We lock things down so that iframes don't get any information about the page. Pretty sure this isn't possible but worth checking out
We could disable sending referrers to the iframed resource via the referrerpolicy attribute referrerpolicy="no-referrer"
.
If we want to enforce stricter iframe controls we could use a feature policy via the iframe allow
attribute which is supported in Safari and Chrome (and Firefox behind a configuration flag). For example we could stop the iframe from having webcam and microphone access allow="camera 'none'; microphone 'none'"
.
That's a good idea 👍 thanks!
We need to make sure that iframe embeds are unable to track users. We maybe have two options, ideally both:
We lock things down so that iframes don't get any information about the page. Pretty sure this isn't possible but worth checking out
We add a site option to disable all iframe embeds, adding the blue "unrenderable embed" box