Security model #987
Comments
|
One can use Content Security Policy (CSP) to limit the kinds of resources that are allowed. |
|
"Security" is always a big topic that isn't possible to capture in a single issue. Having said that, I do think that the question itself needs to be explicitly addressed. I'm not a lead developer of this project at all (just dropping by) but here's my take anyway ...
It does not appear so. I came across this issue because I was looking for exactly that. There seems to be no documentation or parts of the code that deal with security. At the very least, we might say that if epub.js is not yet a complete implementation of the ePub spec, there's a smaller domain for an attacker to exploit. In Googling around, I landed on this article which is referenced by many to explain the security risks involved in the ePub format (especially ePub3). I recommend it as a start to thinking about the issue. The take away is this:
This is what the article claims is the basic security model of Apple iBook reader. Basically, an ePub does not have network access and cannot write persistent data. You then deal with the corner-cases after that. |
|
Not sure why my comment above is being thumbed down. It's not really Epub.js's job to decide what script gets run and what doesn't, since it doesn't and can't interpret JavaScript. The browser does. And CSP is one of the tools provided by the browser to mitigate this kind of issues. Since Epub.js renders things in iframes by default, another way would be setting the diff --git a/src/managers/views/iframe.js b/src/managers/views/iframe.js
index 611da3d..9f95fb4 100644
--- a/src/managers/views/iframe.js
+++ b/src/managers/views/iframe.js
@@ -81,6 +81,7 @@ class IframeView {
}
this.iframe = document.createElement("iframe");
+ this.iframe.setAttribute("sandbox", "allow-same-origin");
this.iframe.id = this.id;
this.iframe.scrolling = "no"; // Might need to be removed: breaks ios width calculations
this.iframe.style.overflow = "hidden";This would disable JavaScript, which is the single biggest threat. |
|
@FedericoCeratto Thank you for raising this issue. Would you be so kind to explain why you have downvoted the initial reply to your issue? I saw that you are affiliated with OONI and the Tor Project and I highly respect these two projects for their work pertaining to freedom, privacy and security. Would you mind joining this conversation again so that we can benefit all from the expertise of one another? |
|
Linking for keeping track of the vulnerabilities check within Foliate which utilizes epub.js. |
|
@fchasen I think it would be good to start adding a security.md to this GitHub repository. |
epubs can contain links and javascript. This might be used to track users without their consent or even attack their browser.
Does epub.js has a threat model or any security feature to address this?
Thanks
The text was updated successfully, but these errors were encountered: