[Question] Why are iframes removed by default?
#566
Comments
|
Because they are too powerful and bring too many privacy and security risks - especially since there are lots of moving parts with sandbox, srcdoc, etc. etc. Lastly, they are rarely needed in user controlled HTML. Unless you have some crazy edge case, you don't want your users to inject iframes into your website. |
|
Privacy and security risks like what? I do have a use case, which is that I want people to be able to embed arbitrary HTML5 games and animations on my website. It is very important to the main functionality of my site that users are able to do this, so I was concerned that there is some vulnerability I don't know about when I discovered that they're disabled by default, but all I could find from looking it up was clickjacking and phishing. If necessary, I can use hooks or other config options to enforce the safe usage (e.g. by restricting attributes), but I'd need to know what specifically is dangerous about them. Also, it may be worth noting I'm not serializing the HTML output to a string to concatenate or insert it into anything. I'm using the |
|
For your use case, looking into Iframe sandbox might make sense, then folks should be able to run whatever content inside the iframe hosts on your website. Not sure how sanitization would be the way to go then though. Lots of good pointers can be found here as well: |
I was just wondering, why are
iframes not whitelisted by default? Are the only concerns clickjacking and phishing, or are there other vulnerabilities I'm unaware of?The text was updated successfully, but these errors were encountered: