Consider FULLY sandboxing and isolating the iframe (remove allow-same-origin)
#986
Comments
|
Having said that, libzim currently works entirely via post messaging a Worker, so some of the messaging infrastructure is already in place (but not the method of populating an isolated iframe). |
|
Using Shadow DOM may be the best way to isolate the displayed document from the application that receives the post messaging. This implies limiting it to modern browsers. However, if this is primarily for Manifest v3 support, then that is not an issue. |
|
We would need an initial script attached to We can't assume that an article loaded into the iframe is always HTML, so we still need a way to isolate the messaging application from the document displayed, but all within the same sandbox. Shadow DOM might do it, so long as any document loaded from the Shadow DOM stays in the Shadow DOM, and doesn't overwrite the whole iframe, and so long as the Shadow DOM is accessible via scripting... |
|
Some of the challenges of using Shadow DOM instead of iframes are described here: https://medium.com/bbc-product-technology/goodbye-iframes-6c84a651e137. |
|
Experiments with Manifest v3, specifically this commit, show that we wouldn't be able to do this simply by setting the src of a nested iframe to the URL of the article. This is considered cross-site scripting with a user-provided value, and is blocked. The sandbox with liberal CSP only works with URLs specifically provided in the app manifest, and it seems that nested iframes are not exempt. This is not a solution for us, and it means we'd have to inject the HTML directly into the iframe's DOM (which also might not work). |
|
Using Shadow DOM appears not to be an option because there is no way to specify a Neither is it possible to navigate an iframe elsewhere after loading article.html. This gets actively blocked by the browser. |
|
Turns out to be a major piece of re-engineering to fix this, for little gain when we have a better solution #992. |
The advantage of fully isolating/sandboxing the iframe becomes evident with Manifest v3 of the webextension specification. If the sandbox is fully isolated, i.e. if it does not
allow-same-originaccess, then it is possible to relax the CSP within the iframe, e.g. by allowingunsafe-inlineandunsafe-eval. See https://developer.chrome.com/docs/extensions/mv3/sandboxingEval/ for a full explanation of the advantages. Something like this will be necessary if we are to add Zimit support to Kiwix JS and still support Manifest v3. Many Zimit sites will useunsafe-inlinecode, because they have not been specifically tailored for ZIM usage (see #865), and many may rely on frameworks that will haveunsafe-evalcode.The big DISADVANTAGE of this approach is that the only way to access a fully isolated iframe (one which does not
allow-same-origin) is via post messaging. It would be necessary to have a small application in the iframe to receive the messages and display the HTML. It might be necessary for the iframe to spawn another iframe in order to separate the ZIM contents from the application. This implies a significant re-engineering effort, and it's not possible to tell how well it would work without undertaking quite a lot of that re-engineering.The text was updated successfully, but these errors were encountered: