This repository was archived by the owner on Apr 6, 2021. It is now read-only.
This repository was archived by the owner on Apr 6, 2021. It is now read-only.
IFrame Sandboxing Cross-Browser/Pre HTML5 #3
Open
Description
Investigate a way to implement a factory mechanism to create sandboxed
iframes to simplify the problem of loading potentially untrusted content
into a page (read widgets, microapps, etc.)
Ideally this would be accessed via the Locator like
<script type="text/javascript">
var untrustedWidget = false;
with( $ESAPI.domUtilities() ) {
untrustedWidget = this.contentFactory.createIFrame({
id: 'untrusted-widget',
src: 'http://www.untrusted.com/widget',
sandboxAttributes: [
this.Sandbox.ALLOW_SAME_ORIGIN
]
});
};
$ESAPI.select( 'untrusted-widget-container' ).appendChild( untrustedWidget );
</script>
The implementation of the createIFrame method would use the sandbox
attribute of IFrame if supported by the user-agent, and if not create a
IFrame Javascript sandbox using a third party library or by preloading the
content of the page, and wrapping any javascript executed in the frame in
the context of a with() block that provides a limited subset of the
javascript API (whitelist and blacklist)
There is a great deal of documentation around IFrame Sandboxing in the
HTML5 Specification
http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox
Original issue reported on code.google.com by chrisisbeef on 29 Apr 2010 at 4:20