Sandbox Security
Overview
With Infinity v37
, to enhance the security of Plugin API, the default sandbox policy for
iframes has been made more restrictive. These changes may impact plugin
functionality if they rely on features not permitted by the new sandbox
configuration.
Key Changes
Restrictive Sandbox Policy
- A more restrictive default sandbox policy is now applied to iframes. This aims to enhance security but may cause certain plugins to lose functionality if they rely on unsupported behaviors.
Default Sandbox Configuration
The default value for the sandbox attribute is:
sandbox="allow-scripts"
This configuration:
- Allows scripts to execute within the iframe.
- Disallows other capabilities, such as access to same-origin resources or opening pop-ups.
Additional Permissions via Manifest
One can specify by setting the
sandboxValues
property of the plugin. It is an array of additional values. Registering a plugin with additional permissions would look something like the following in the manifest."plugins": [{"src": "./plugins/example-plugin/index.html", "sandboxValues":["allow-same-origin"]}]
Allowed Sandbox Values
Only the following values are allowed, other values will be ignored.
allow-scripts
(default)
- Description: Permits the execution of JavaScript within the iframe.
- Impact:
- Enables dynamic functionality such as interactive content or API calls within the plugin.
- Scripts remain confined to the iframe's environment and cannot access the parent page.
- Security Consideration:
- Inline scripts are typically disallowed unless accompanied by a Content Security Policy (CSP).
allow-same-origin
- Description: Allows the iframe to retain its original security context (origin).
- Impact:
- Enables plugins to use cookies, localStorage, and sessionStorage tied to their domain.
- Necessary for proper functioning of authentication mechanisms and API requests.
- Security Consideration:
- Potentially risky if combined with
allow-scripts
, as it could expose sensitive data. This is mitigated by ensuring plugins are trusted and vetted.
- Potentially risky if combined with
allow-popups
- Description: Grants the iframe permission to open new browser windows or
tabs using
window.open
. - Impact:
- Plugins can display additional information or provide expanded functionality in a new window.
- Security Consideration:
- Popups are confined by browser security policies and cannot directly interact with the parent page unless explicitly allowed.
allow-popups-to-escape-sandbox
- Description: Permits popups opened by the iframe to operate without the restrictions of the iframe’s sandbox.
- Impact:
- Allows plugins to provide fully functional popups (e.g., for OAuth flows or detailed reports).
- The sandbox restrictions do not apply to these popups, enabling unrestricted browsing or navigation.
- Security Consideration:
- Used with caution to avoid exposing the parent page to malicious actions via the popup. Plugin domains must be trusted.
allow-forms
- Description: Permits the iframe to submit forms.
- Impact:
- If this keyword is not present, forms can still be displayed, but not submitted.
- Needed if, for example, the form needs to trigger input validation, send data to a web server or close a dialog.
- Security Consideration:
- Ensure that the endpoint to which data is sent is trusted.