Iframe security with 3rd party content #1145
Replies: 1 comment 3 replies
-
|
Anytime you pull javascript from the outside universe you are creating a
portal that can be dangerous, especially if you do not trust them. I do
have some recommendations though.
Find an alternative that is just data.
Only ship the API endpoints you need with the acceptlist. This will make
unneeded endpoints unavailable.
Create a nonce at startup, place it in a randomly named object in your JS
&& rust and use that in your authorized messages to validate them.
If you are truly paranoid, use the noise protocol.
The latter two are things I will be designing over the coming weeks, so if
you want to have a discussion about them, ping me on discord.
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks, @nothingismagick. I understand that there's only one window, but is there a way to run multiple webviews? |
Beta Was this translation helpful? Give feedback.
-
|
( I'm basically looking for a way to make a web browser with an alternative UI style. I'm concerned that too many iframes would be bad news anyway, if they're all in the same process. ) |
Beta Was this translation helpful? Give feedback.
-
|
Multiple webview windows will be possible with the forthcoming https://github.com/tauri-apps/wry library. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Is it safe to load 3rd party URLs in iframes?
I guess it would be difficult / impossible for a 3rd party to map your API with the randomization, but is there anything else to worry about?
I need a secure in-app browser context, where there may be many of them open concurrently (and if I use iframes, I need to ignore iframe-options headers), and I would like to lay them out with DOM, like the Chromium
webviewelement. Can I do something like that with Tauri?Beta Was this translation helpful? Give feedback.
All reactions