Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sandboxed mode to HTML component #544

Merged
merged 12 commits into from
Jun 29, 2024
Merged

Add sandboxed mode to HTML component #544

merged 12 commits into from
Jun 29, 2024

Conversation

wwwillchen
Copy link
Collaborator

@wwwillchen wwwillchen commented Jun 26, 2024
edited
Loading

Approach: This iframes HTML content (potentially from end-user input) in a sandboxed iframe without "allow-same-origin" to ensure the content does not run on the same origin as the main Mesop app.

This uses a double-iframing approach because we cannot directly use <iframe srcdoc="${html}"> from the main Mesop app because Mesop by default applies a stringent CSP (e.g. trusted types) and iframe documents using srcdoc automatically inherit their parent's CSP and this makes the iframe basically unusable for many use cases.

Instead we iframe sandboxed_iframe.html which is served with a minimal CSP that only prevents being iframed by other origins besides the Mesop app and then within sandboxed_iframe.html we render the (untrusted) HTML content inside a sandboxed iframe.

Fixes #156.

@wwwillchen wwwillchen marked this pull request as ready for review June 26, 2024 06:36
richard-to
richard-to approved these changes Jun 26, 2024
View reviewed changes
Copy link
Collaborator

@richard-to richard-to left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - I like the api here. I think better than the alternative of having the embed element accept html.

mesop/components/html/html.py Outdated Show resolved Hide resolved
mesop/components/html/html.ts Outdated Show resolved Hide resolved
mesop/web/src/safe_iframe/safe_iframe.ts Outdated Show resolved Hide resolved
@wwwillchen
Copy link
Collaborator Author

Need to hold off, there's a security issue with this approach.

@wwwillchen
Copy link
Collaborator Author

Need to hold off, there's a security issue with this approach.

Fixed now.

@wwwillchen wwwillchen merged commit 412cd8e into google:main Jun 29, 2024
3 checks passed
@wwwillchen wwwillchen deleted the i156 branch June 29, 2024 05:35
@wwwillchen wwwillchen mentioned this pull request Aug 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richard-to richard-to richard-to approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add a component to directly embed html
2 participants
@wwwillchen @richard-to