Sandboxing navigator iFrames #84
Labels
enhancement
New feature or request
Comments
|
FYI, possibly useful references: |
|
the above links are sufficient, but many years ago I wrote a similar EPUB test book to check for window.top and window.parent security breaches in non-sandboxed iframes. I later ported it to the official EPUB test suite (in a branch): window.parent.document.body.innerText = “HACKED!”; window.top.document.getElementById("ID").innerHTML = “ Click here ”; it's been a while since I last looked into this, but there was this breach method as well: window.frameElement.ownerDocument.defaultView.location = “http://hack.me”; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
iframeelements used to show reflowable and FXL content can be sandboxed using various attributes described here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe. This can provide security enhancements and protect from malicious EPUBs, especially in a situation where content is user generated.The text was updated successfully, but these errors were encountered: