Skip to main content

Sandbox Security

Overview

With Infinity v37, to enhance the security of Plugin API, the default sandbox policy for iframes has been made more restrictive. These changes may impact plugin functionality if they rely on features not permitted by the new sandbox configuration.

Key Changes

  1. Restrictive Sandbox Policy

    • A more restrictive default sandbox policy is now applied to iframes. This aims to enhance security but may cause certain plugins to lose functionality if they rely on unsupported behaviors.
  2. Default Sandbox Configuration

    • The default value for the sandbox attribute is:

      sandbox="allow-scripts"
    • This configuration:

      • Allows scripts to execute within the iframe.
      • Disallows other capabilities, such as access to same-origin resources or opening pop-ups.
  3. Additional Permissions via Manifest

    • One can specify by setting the sandboxValues property of the plugin. It is an array of additional values. Registering a plugin with additional permissions would look something like the following in the manifest.

      "plugins": [{"src": "./plugins/example-plugin/index.html", "sandboxValues":["allow-same-origin"]}]

Allowed Sandbox Values

Only the following values are allowed, other values will be ignored.

allow-scripts (default)

  • Description: Permits the execution of JavaScript within the iframe.
  • Impact:
    • Enables dynamic functionality such as interactive content or API calls within the plugin.
    • Scripts remain confined to the iframe's environment and cannot access the parent page.
  • Security Consideration:
    • Inline scripts are typically disallowed unless accompanied by a Content Security Policy (CSP).

allow-same-origin

  • Description: Allows the iframe to retain its original security context (origin).
  • Impact:
    • Enables plugins to use cookies, localStorage, and sessionStorage tied to their domain.
    • Necessary for proper functioning of authentication mechanisms and API requests.
  • Security Consideration:
    • Potentially risky if combined with allow-scripts, as it could expose sensitive data. This is mitigated by ensuring plugins are trusted and vetted.

allow-popups

  • Description: Grants the iframe permission to open new browser windows or tabs using window.open.
  • Impact:
    • Plugins can display additional information or provide expanded functionality in a new window.
  • Security Consideration:
    • Popups are confined by browser security policies and cannot directly interact with the parent page unless explicitly allowed.

allow-popups-to-escape-sandbox

  • Description: Permits popups opened by the iframe to operate without the restrictions of the iframe’s sandbox.
  • Impact:
    • Allows plugins to provide fully functional popups (e.g., for OAuth flows or detailed reports).
    • The sandbox restrictions do not apply to these popups, enabling unrestricted browsing or navigation.
  • Security Consideration:
    • Used with caution to avoid exposing the parent page to malicious actions via the popup. Plugin domains must be trusted.

allow-forms

  • Description: Permits the iframe to submit forms.
  • Impact:
    • If this keyword is not present, forms can still be displayed, but not submitted.
    • Needed if, for example, the form needs to trigger input validation, send data to a web server or close a dialog.
  • Security Consideration:
    • Ensure that the endpoint to which data is sent is trusted.