-
Notifications
You must be signed in to change notification settings - Fork 21
Security Notes
This page holds security related notices.
2020-09-23 Concerns versions 4.0.0-4.0.2 beta 9
This has been mitigated in the following way:
-
Any iframe is now sandboxed. Sandboxed iframes instruct the browser to disallow plugins and a number of other things that make the rendering more safe. It also limits what can be rendered. For example pdf rendering requires a plug-in and is thus prohibited from rendering by default. Since a lot of CDA documents rely on pdf, a new parameter "limit-pdf" has been implemented. If your environment wants to allow for pdf rendering, you may set this parameter to 'no'
-
The sandbox attribute is not supported before Internet Explorer 9. To avoid potentially unsafe contents in older versions of Internet Explorer 9 and before, a switch has been added that prevents iframes under these browser versions entirely.
Due to this potential vulnerability, users of versions 4.0.0 through 4.0.2 beta 9 of the stylesheet are encouraged to upgrade to version 4.0.2 beta 10 or up. As always: please test in your own environment. Click to go the latest release.
Tested against Microsoft Internet Explorer 9, 10, 11, Microsoft Edge (before and after move to chromium), Google Chrome, Firefox, Safari (macOS), and Mobile Safari (iOS)