cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MarcBoes
Frequent Visitor

Is an iFrame element in a Canvas Custom Control safe with sandbox attribute and DOMPurify applied?

To display the filecontent of HTML files in a Power App, I've created a small control with styles, src and srcdoc parameters. These are used as the content / parameter of an iFrame element and a style element.

To prevent tampering, I've applied two safeguards: the iframe tag has the sandbox attribute applied and in case the strings are cleaned with DOMPurify.sanitize first:

 

this.elemStyle=document.createElement("style");
		if(context.parameters.iframestyles.raw){
			this.elemStyle.innerHTML=DOMPurify.sanitize(context.parameters.iframestyles.raw);
			container.appendChild(this.elemStyle);
		}
		this.elemWrap=document.createElement("div");
		this.elemWrap.id="dtswrap";
		this.elemIFrame=document.createElement("iframe");
		this.elemIFrame.id="dtsiframe";
		this.elemIFrame.sandbox;
		if(context.parameters.iframesrc.raw){
			this.elemIFrame.src=DOMPurify.sanitize(context.parameters.iframesrc.raw);
		}else{
			if(context.parameters.iframesrcdoc.raw){
				this.elemIFrame.srcdoc=DOMPurify.sanitize(context.parameters.iframesrcdoc.raw);
			}
		}
		this.elemWrap.appendChild(this.elemIFrame);
		container.appendChild(this.elemWrap);

 


The component code can be found here: https://github.com/MJBoes/20210524IFrameSandboxPCF
 as well.

 

If there are there attack scenario's which are not covered by these two measures, I'd greatly appreciate it if I could be directed to references to do a better job. Thanks in advance, Marc

1 ACCEPTED SOLUTION

Accepted Solutions
cchannon
Super User
Super User

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

View solution in original post

2 REPLIES 2
cchannon
Super User
Super User

I can't imagine more than this for security on an IFrame. You've added no Allow exclusions whatsoever, so whatever content is in that frame can render nothing more than static HTML. In fact, this is so secure, most modern websites won't even work with it, haha! The only thing this would be usable for is ads or similar static-content pages that are designed to be sandboxed (but are untrustworthy 😈).

This is a thing of beauty.

MarcBoes
Frequent Visitor

Thank you @cchannon , much appreciated. I mark it as the solution. And yeah, apart from wikipedia it is not usefull as a web viewer. On the other hand, it renders the exported HTML from the Flow Designer UI, so I'm happy it works and is safe to use. Best regards, Marc

Helpful resources

Announcements
Power Platform Call June 2022 768x460.png

Power Platform Community Call

Join us for the next call on August 17, 2022 at 8am PDT.

Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

Users online (1,888)