Guide for Iframe and Content Security Policy (CSP)
- Iframe CSP Sandboxing
npm install
npm start
http://localhost:3000/iframecspsandbox.html
-
Security
When using an iframe, we are dealing with content coming from third party. you are increasing the risk of having potential vulnerability attack in your application. Luckily, we got "sandbox" attributeRule of thumb: follow "the principle of least privilege" -
sandbox="allow-same-origin"
-
referrerPolicy="strict-origin"
-
Attribute details:
| Flag | Details |
|---|---|
| allow-forms | Allows form submission. |
| allow-modals | Allows the resource to open new modal windows. |
| allow-orientation-lock | Allows the resource to lock the screen orientation. |
| allow-pointer-lock | Allows the resource to use the Pointer Lock API. |
| allow-popups | Allows the resource to open new popups or tabs. |
| allow-popups-to-escape-sandbox | Allows the resource to open new windows that will not inherit the sandboxing. |
| allow-presentation | Allows the resource to start a presentation session. |
| allow-same-origin | Allows the resource to maintain its origin. |
| allow-scripts | Allows the resource to run scripts. |
| allow-top-navigation | Allows the resource to navigate the top-level browsing context. |
| allow-top-navigation-by-user-activation | Allows the resource to navigate the top-level browsing context, but only if initiated by a user gesture. |