cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MarcBoes
Frequent Visitor

Is an iFrame element in a Canvas Custom Control safe with sandbox attribute and DOMPurify applied?

To display the filecontent of HTML files in a Power App, I've created a small control with styles, src and srcdoc parameters. These are used as the content / parameter of an iFrame element and a style element.

To prevent tampering, I've applied two safeguards: the iframe tag has the sandbox attribute applied and in case the strings are cleaned with DOMPurify.sanitize first:

 

this.elemStyle=document.createElement("style");
		if(context.parameters.iframestyles.raw){
			this.elemStyle.innerHTML=DOMPurify.sanitize(context.parameters.iframestyles.raw);
			container.appendChild(this.elemStyle);
		}
		this.elemWrap=document.createElement("div");
		this.elemWrap.id="dtswrap";
		this.elemIFrame=document.createElement("iframe");
		this.elemIFrame.id="dtsiframe";
		this.elemIFrame.sandbox;
		if(context.parameters.iframesrc.raw){
			this.elemIFrame.src=DOMPurify.sanitize(context.parameters.iframesrc.raw);
		}else{
			if(context.parameters.iframesrcdoc.raw){
				this.elemIFrame.srcdoc=DOMPurify.sanitize(context.parameters.iframesrcdoc.raw);
			}
		}
		this.elemWrap.appendChild(this.elemIFrame);
		container.appendChild(this.elemWrap);

 


The component code can be found here: https://github.com/MJBoes/20210524IFrameSandboxPCF
 as well.

 

If there are there attack scenario's which are not covered by these two measures, I'd greatly appreciate it if I could be directed to references to do a better job. Thanks in advance, Marc

1 ACCEPTED SOLUTION

Accepted Solutions
cchannon
Solution Sage
Solution Sage

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

2 REPLIES 2
cchannon
Solution Sage
Solution Sage

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

MarcBoes
Frequent Visitor

Thank you @cchannon , much appreciated. I mark it as the solution. And yeah, apart from wikipedia it is not usefull as a web viewer. On the other hand, it renders the exported HTML from the Flow Designer UI, so I'm happy it works and is safe to use. Best regards, Marc

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

Power Query PA Forum 768x460.png

Check it out!

Did you know that you can visit the Power Query Forum in Power BI and now Power Apps

V3_PVA CAmpaign Carousel.png

Community Challenge - Giveaways!

Participate in the Power Virtual Agents Community Challenge

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Users online (3,394)