cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MarcBoes
Frequent Visitor

Is an iFrame element in a Canvas Custom Control safe with sandbox attribute and DOMPurify applied?

To display the filecontent of HTML files in a Power App, I've created a small control with styles, src and srcdoc parameters. These are used as the content / parameter of an iFrame element and a style element.

To prevent tampering, I've applied two safeguards: the iframe tag has the sandbox attribute applied and in case the strings are cleaned with DOMPurify.sanitize first:

 

this.elemStyle=document.createElement("style");
		if(context.parameters.iframestyles.raw){
			this.elemStyle.innerHTML=DOMPurify.sanitize(context.parameters.iframestyles.raw);
			container.appendChild(this.elemStyle);
		}
		this.elemWrap=document.createElement("div");
		this.elemWrap.id="dtswrap";
		this.elemIFrame=document.createElement("iframe");
		this.elemIFrame.id="dtsiframe";
		this.elemIFrame.sandbox;
		if(context.parameters.iframesrc.raw){
			this.elemIFrame.src=DOMPurify.sanitize(context.parameters.iframesrc.raw);
		}else{
			if(context.parameters.iframesrcdoc.raw){
				this.elemIFrame.srcdoc=DOMPurify.sanitize(context.parameters.iframesrcdoc.raw);
			}
		}
		this.elemWrap.appendChild(this.elemIFrame);
		container.appendChild(this.elemWrap);

 


The component code can be found here: https://github.com/MJBoes/20210524IFrameSandboxPCF
 as well.

 

If there are there attack scenario's which are not covered by these two measures, I'd greatly appreciate it if I could be directed to references to do a better job. Thanks in advance, Marc

1 ACCEPTED SOLUTION

Accepted Solutions
cchannon
Memorable Member
Memorable Member

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

2 REPLIES 2
cchannon
Memorable Member
Memorable Member

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

MarcBoes
Frequent Visitor

Thank you @cchannon , much appreciated. I mark it as the solution. And yeah, apart from wikipedia it is not usefull as a web viewer. On the other hand, it renders the exported HTML from the Flow Designer UI, so I'm happy it works and is safe to use. Best regards, Marc

Helpful resources

Announcements
PA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

PowerPlatform 768x460.png

Microsoft Learn

Check out our new Discover Your Career Path blog post series and get all the details.

Users online (1,775)