On Wed, Jan 31, 2024 at 10:18 AM Tim Moody <tim@timmoody.com> wrote:

Discussions as to the security of iframes are ongoing, such as https://phabricator.wikimedia.org/T222807 and a number of others.

It is time to resolve this once and for all. How can we adjudicate this question and say definitively that iframes mitigate the security risk of running Javascript in the user's browser if certain specified requirements are met?

The iframe sandboxing + enforcing CSP approach described in T222807 would reduce the risk of running potentially dangerous javascript within a user's browser, but not eliminate the risk entirely. Unfortunately there have been some related performance issues in exploring this approach (see: https://phabricator.wikimedia.org/T169027#9342985) as well as some criticism regarding whether or not this approach is in line with the Wikimedia movement's values (see: https://phabricator.wikimedia.org/T169027#9362252)

Scott Bassett

sbassett@wikimedia.org