cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MarcBoes
Frequent Visitor

Is an iFrame element in a Canvas Custom Control safe with sandbox attribute and DOMPurify applied?

To display the filecontent of HTML files in a Power App, I've created a small control with styles, src and srcdoc parameters. These are used as the content / parameter of an iFrame element and a style element.

To prevent tampering, I've applied two safeguards: the iframe tag has the sandbox attribute applied and in case the strings are cleaned with DOMPurify.sanitize first:

 

this.elemStyle=document.createElement("style");
		if(context.parameters.iframestyles.raw){
			this.elemStyle.innerHTML=DOMPurify.sanitize(context.parameters.iframestyles.raw);
			container.appendChild(this.elemStyle);
		}
		this.elemWrap=document.createElement("div");
		this.elemWrap.id="dtswrap";
		this.elemIFrame=document.createElement("iframe");
		this.elemIFrame.id="dtsiframe";
		this.elemIFrame.sandbox;
		if(context.parameters.iframesrc.raw){
			this.elemIFrame.src=DOMPurify.sanitize(context.parameters.iframesrc.raw);
		}else{
			if(context.parameters.iframesrcdoc.raw){
				this.elemIFrame.srcdoc=DOMPurify.sanitize(context.parameters.iframesrcdoc.raw);
			}
		}
		this.elemWrap.appendChild(this.elemIFrame);
		container.appendChild(this.elemWrap);

 


The component code can be found here: https://github.com/MJBoes/20210524IFrameSandboxPCF
 as well.

 

If there are there attack scenario's which are not covered by these two measures, I'd greatly appreciate it if I could be directed to references to do a better job. Thanks in advance, Marc

1 ACCEPTED SOLUTION

Accepted Solutions
cchannon
Super User
Super User

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

2 REPLIES 2
cchannon
Super User
Super User

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

MarcBoes
Frequent Visitor

Thank you @cchannon , much appreciated. I mark it as the solution. And yeah, apart from wikipedia it is not usefull as a web viewer. On the other hand, it renders the exported HTML from the Flow Designer UI, so I'm happy it works and is safe to use. Best regards, Marc

Helpful resources

Announcements
Ignite 2022

WHAT’S NEXT AT MICROSOFT IGNITE 2022

Explore the latest innovations, learn from product experts and partners, level up your skillset, and create connections from around the world.

Power Apps Africa Challenge 2022

Power Apps Africa Challenge

Your chance to join an engaging competition of Power Platform enthusiasts.

Users online (2,915)