On Wed, Jan 31, 2024 at 10:18 AM Tim Moody <tim(a)timmoody.com> wrote:
Discussions as to the security of iframes are ongoing,
such as
https://phabricator.wikimedia.org/T222807 and a number of others.
It is time to resolve this once and for all. How can we adjudicate this
question and say definitively that iframes mitigate the security risk of
running Javascript in the user's browser if certain specified requirements
are met?
The iframe sandboxing + enforcing CSP approach described in T222807 would
reduce the risk of running potentially dangerous javascript within a user's
browser, but not eliminate the risk entirely. Unfortunately there have
been some related performance issues in exploring this approach (see:
https://phabricator.wikimedia.org/T169027#9342985) as well as some
criticism regarding whether or not this approach is in line with the
Wikimedia movement's values (see:
https://phabricator.wikimedia.org/T169027#9362252)
--
Scott Bassett
sbassett(a)wikimedia.org