iframe security

Author: codehippie1

SampleApp/src/app/features/features.component.html

@@ -880,13 +880,6 @@ <h3>Using Convenience Configuration Objects</h3>
     <!-- PDF Viewer -->
     <div class="viewer-panel">
       <mat-card>
-      <mat-card-header>
-          <mat-card-title>ng2-pdfjs-viewer</mat-card-title>
-          <mat-card-subtitle
-            >Live Demo with Current Configuration</mat-card-subtitle
-          >
-      </mat-card-header>
-      
       <mat-card-content>
           <!-- trackBy forces component recreation when key changes -->
           <ng2-pdfjs-viewer 

docs-website/data/projects.json

@@ -8,7 +8,7 @@
     "industry": "Finance",
     "techStack": ["Angular", "Node.js", "MongoDB"],
     "featuresUsed": ["custom-theming", "annotations", "search"],
-    "versionUsed": "25.0.8",
+    "versionUsed": "25.0.10",
     "developerName": "John Doe",
     "companyName": "Acme Corp",
     "submittedAt": "2024-01-15T10:00:00Z",

docs-website/docs/api/component-inputs.md

@@ -1032,6 +1032,77 @@ interface SecurityWarning {
 }
 ```
 
+### iframe Security (Built-in)
+
+The iframe includes built-in security with static sandbox attributes for enhanced protection:
+
+```html
+<!-- Built-in security (always enabled) -->
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf">
+</ng2-pdfjs-viewer>
+```
+
+**Static Sandbox Attributes:**
+- `allow-forms` - Required for PDF form functionality
+- `allow-scripts` - Required for PDF.js JavaScript execution
+- `allow-same-origin` - Required for loading PDF files and assets
+- `allow-modals` - Required for PDF.js dialogs (print, download)
+
+**Security Benefits:**
+- **XSS Prevention** - Prevents malicious scripts from affecting parent page
+- **CSP Compliance** - Meets Content Security Policy requirements
+- **Data Protection** - Limits iframe access to parent window context
+- **Enterprise Ready** - Suitable for corporate security environments
+
+> **Note**: Sandbox attributes are fixed for security and Angular compliance. They cannot be customized dynamically.
+
+### `iframeBorder`
+- **Type**: `string | number`
+- **Default**: `"0"`
+- **Description**: iframe border style for visual customization
+
+```typescript
+// Default (no border)
+iframeBorder = "0";
+
+// Custom border style
+iframeBorder = "2px solid #ccc";
+
+// Numeric border (pixels)
+iframeBorder = 1;
+
+// No border (explicit)
+iframeBorder = "none";
+```
+
+```html
+<!-- Default (no border) -->
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf">
+</ng2-pdfjs-viewer>
+
+<!-- Custom border -->
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  iframeBorder="2px solid #ccc">
+</ng2-pdfjs-viewer>
+
+<!-- Numeric border -->
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  [iframeBorder]="1">
+</ng2-pdfjs-viewer>
+```
+
+**Border Values:**
+- `"0"` or `0` - No border (default)
+- `"none"` - No border (explicit)
+- `"1px solid #000"` - 1px solid black border
+- `"2px dashed #ccc"` - 2px dashed gray border
+- `"3px solid #007acc"` - 3px solid blue border
+- Any valid CSS border value
+
 ## Next Steps
 
 - 📤 [**Component Outputs**](./component-outputs) - Event handling

docs-website/docs/changelog.md

@@ -1,8 +1,8 @@
-# What's New in v25.0.0 🎉
+# What's New in v25.x 🎉
 
 ## Release Highlights
 
-Version 25.0.0 marks a **complete rewrite** of ng2-pdfjs-viewer with modern Angular patterns, enhanced performance, and a focus on developer experience.
+Version 25.x marks a **complete rewrite** of ng2-pdfjs-viewer with modern Angular patterns, enhanced performance, and a focus on developer experience.
 
 :::tip Major Release
 This is a **major release** with breaking changes. Please review the [Migration Guide](./migration/overview) for upgrade instructions.

docs-website/docs/features/iframe-security.md

@@ -0,0 +1,262 @@
+# iframe Security
+
+ng2-pdfjs-viewer includes built-in iframe security features to protect your application from potential security vulnerabilities.
+
+## 🔒 Security Overview
+
+The library uses static iframe sandbox attributes to provide a secure environment for PDF viewing while maintaining full functionality. The sandbox configuration is fixed for security and Angular compliance.
+
+### Built-in Security Configuration
+
+```html
+<ng2-pdfjs-viewer pdfSrc="document.pdf"></ng2-pdfjs-viewer>
+```
+
+**Static sandbox attributes (always enabled):**
+- `allow-forms` - Enables PDF form functionality
+- `allow-scripts` - Enables PDF.js JavaScript execution
+- `allow-same-origin` - Enables loading PDF files and assets
+- `allow-modals` - Enables PDF.js dialogs (print, download)
+
+## 🛡️ Security Benefits
+
+### XSS Prevention
+- Prevents malicious scripts in PDFs from affecting the parent page
+- Isolates PDF.js execution environment
+- Blocks unauthorized access to parent window context
+
+### CSP Compliance
+- Meets Content Security Policy requirements
+- Compatible with strict CSP headers
+- Reduces security audit findings
+
+### Data Protection
+- Limits iframe access to parent window
+- Prevents data exfiltration through PDFs
+- Protects sensitive application data
+
+### Enterprise Ready
+- Suitable for corporate security environments
+- Meets regulatory compliance requirements
+- Integrates with security monitoring tools
+
+## ⚙️ Configuration Options
+
+### Basic Usage
+
+```html
+<!-- Built-in security (always enabled) -->
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf">
+</ng2-pdfjs-viewer>
+```
+
+### iframe Border Customization
+
+```html
+<!-- Custom border styling -->
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  iframeBorder="2px solid #ccc">
+</ng2-pdfjs-viewer>
+```
+
+> **Note**: Sandbox attributes are fixed for security and Angular compliance. Only border styling can be customized.
+
+## 📋 Sandbox Attributes Reference
+
+### Required Attributes
+
+| Attribute | Purpose | Required For |
+|-----------|---------|--------------|
+| `allow-forms` | PDF form functionality | PDF form filling and submission |
+| `allow-scripts` | JavaScript execution | PDF.js viewer functionality |
+| `allow-same-origin` | Same-origin requests | Loading PDF files and assets |
+| `allow-modals` | Dialog boxes | Print dialog, download confirmations |
+
+### Optional Attributes
+
+| Attribute | Purpose | Use Case |
+|-----------|---------|----------|
+| `allow-popups` | Open new windows | External window functionality |
+| `allow-downloads` | Download files | PDF download functionality |
+| `allow-top-navigation` | Navigate parent window | PDF navigation features |
+| `allow-pointer-lock` | Pointer lock API | Advanced interaction features |
+
+### Security Attributes
+
+| Attribute | Purpose | Security Impact |
+|-----------|---------|-----------------|
+| `allow-same-origin` | Same-origin requests | Required for functionality |
+| `allow-forms` | Form submission | Required for PDF forms |
+| `allow-scripts` | JavaScript execution | Required for PDF.js |
+| `allow-modals` | Dialog boxes | Required for user interactions |
+
+## 🔧 Advanced Configuration
+
+### Border Customization
+
+```typescript
+export class MyComponent {
+  // Dynamic border configuration
+  borderConfig = "0";
+  
+  // Update border based on theme
+  updateBorder(theme: string) {
+    switch (theme) {
+      case 'dark':
+        this.borderConfig = "1px solid #333";
+        break;
+      case 'light':
+        this.borderConfig = "1px solid #ccc";
+        break;
+      case 'none':
+        this.borderConfig = "0";
+        break;
+    }
+  }
+}
+```
+
+```html
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  [iframeBorder]="borderConfig">
+</ng2-pdfjs-viewer>
+```
+
+## 🧪 Testing Security Configuration
+
+### Basic Functionality Test
+
+```typescript
+describe('iframe Security', () => {
+  it('should load PDF with static sandbox', () => {
+    const fixture = TestBed.createComponent(PdfViewerComponent);
+    fixture.componentInstance.pdfSrc = 'test.pdf';
+    fixture.detectChanges();
+    
+    const iframe = fixture.debugElement.query(By.css('iframe'));
+    expect(iframe.nativeElement.sandbox).toBe('allow-forms allow-scripts allow-same-origin allow-modals');
+  });
+  
+  it('should allow custom border configuration', () => {
+    const fixture = TestBed.createComponent(PdfViewerComponent);
+    fixture.componentInstance.pdfSrc = 'test.pdf';
+    fixture.componentInstance.iframeBorder = '2px solid #ccc';
+    fixture.detectChanges();
+    
+    const iframe = fixture.debugElement.query(By.css('iframe'));
+    expect(iframe.nativeElement.style.border).toBe('2px solid #ccc');
+  });
+});
+```
+
+### Security Validation Test
+
+```typescript
+it('should prevent XSS attacks', () => {
+  // Test that malicious scripts in PDFs cannot access parent window
+  const maliciousPdf = createMaliciousPdf();
+  // ... test implementation
+});
+```
+
+## 🚨 Common Issues and Solutions
+
+### Issue: PDF Forms Not Working
+
+**Problem:** PDF forms are not interactive or submit buttons don't work.
+
+**Solution:** Ensure `allow-forms` is included in sandbox attributes.
+
+```html
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals">
+</ng2-pdfjs-viewer>
+```
+
+### Issue: Download/Print Buttons Not Working
+
+**Problem:** Download and print functionality is disabled.
+
+**Solution:** Add `allow-modals` to sandbox attributes.
+
+```html
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals">
+</ng2-pdfjs-viewer>
+```
+
+### Issue: External Window Not Opening
+
+**Problem:** "Open in new tab" button doesn't work.
+
+**Solution:** Add `allow-popups` to sandbox attributes.
+
+```html
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals allow-popups">
+</ng2-pdfjs-viewer>
+```
+
+### Issue: PDF Not Loading
+
+**Problem:** PDF fails to load with sandbox enabled.
+
+**Solution:** Ensure `allow-same-origin` is included for same-domain PDFs.
+
+```html
+<ng2-pdfjs-viewer 
+  pdfSrc="document.pdf"
+  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals">
+</ng2-pdfjs-viewer>
+```
+
+## 🔍 Security Best Practices
+
+### 1. Use Default Configuration
+- Start with the default sandbox attributes
+- Only add additional permissions when needed
+- Test thoroughly after any changes
+
+### 2. Regular Security Audits
+- Review sandbox configuration regularly
+- Test with security scanning tools
+- Monitor for security advisories
+
+### 3. Principle of Least Privilege
+- Only enable permissions that are actually needed
+- Document why each permission is required
+- Remove unused permissions
+
+### 4. Environment-Specific Configuration
+- Use stricter settings in production
+- Relax settings only in development when needed
+- Implement security policies consistently
+
+### 5. Monitoring and Logging
+- Monitor for security violations
+- Log sandbox configuration changes
+- Alert on unexpected behavior
+
+## 📚 Related Documentation
+
+- [Security Features Overview](./security) - Complete security guide
+- [Component Inputs](../api/component-inputs) - All configuration options
+- [Getting Started](../getting-started) - Quick setup guide
+- [Examples](../examples/basic-usage) - Practical examples
+
+## 🆘 Support
+
+If you encounter security-related issues:
+
+1. Check the [Common Issues](#-common-issues-and-solutions) section
+2. Review your sandbox configuration
+3. Test with minimal sandbox attributes
+4. Open an issue on GitHub with details
+
+Remember: Security is a shared responsibility. Always test your configuration and stay updated with security best practices.

docs-website/docs/features/overview.md

@@ -186,6 +186,7 @@ Explore specific features in detail:
 
 - 🎨 [**Theming**](./theming) - Customize the appearance
 - 🔒 [**Security**](./security) - URL validation and security features
+- 🛡️ [**iframe Security**](./iframe-security) - iframe sandbox and security configuration
 - 🪟 [**External Window**](./external-window) - External window and tab management
 - 📚 [**Examples**](../examples/basic-usage) - See it in action
 - 📖 [**API Reference**](../api/component-inputs) - Complete documentation