cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MarcBoes
Frequent Visitor

Is an iFrame element in a Canvas Custom Control safe with sandbox attribute and DOMPurify applied?

To display the filecontent of HTML files in a Power App, I've created a small control with styles, src and srcdoc parameters. These are used as the content / parameter of an iFrame element and a style element.

To prevent tampering, I've applied two safeguards: the iframe tag has the sandbox attribute applied and in case the strings are cleaned with DOMPurify.sanitize first:

 

this.elemStyle=document.createElement("style");
		if(context.parameters.iframestyles.raw){
			this.elemStyle.innerHTML=DOMPurify.sanitize(context.parameters.iframestyles.raw);
			container.appendChild(this.elemStyle);
		}
		this.elemWrap=document.createElement("div");
		this.elemWrap.id="dtswrap";
		this.elemIFrame=document.createElement("iframe");
		this.elemIFrame.id="dtsiframe";
		this.elemIFrame.sandbox;
		if(context.parameters.iframesrc.raw){
			this.elemIFrame.src=DOMPurify.sanitize(context.parameters.iframesrc.raw);
		}else{
			if(context.parameters.iframesrcdoc.raw){
				this.elemIFrame.srcdoc=DOMPurify.sanitize(context.parameters.iframesrcdoc.raw);
			}
		}
		this.elemWrap.appendChild(this.elemIFrame);
		container.appendChild(this.elemWrap);

 


The component code can be found here: https://github.com/MJBoes/20210524IFrameSandboxPCF
 as well.

 

If there are there attack scenario's which are not covered by these two measures, I'd greatly appreciate it if I could be directed to references to do a better job. Thanks in advance, Marc

1 ACCEPTED SOLUTION

Accepted Solutions
cchannon
Solution Supplier
Solution Supplier

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

2 REPLIES 2
cchannon
Solution Supplier
Solution Supplier

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

MarcBoes
Frequent Visitor

Thank you @cchannon , much appreciated. I mark it as the solution. And yeah, apart from wikipedia it is not usefull as a web viewer. On the other hand, it renders the exported HTML from the Flow Designer UI, so I'm happy it works and is safe to use. Best regards, Marc

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Demo Extravaganza is Back!

We are excited to announce that Demo Extravaganza for 2021 has started!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

Users online (23,525)