Skip to content

Instantly share code, notes, and snippets.

@callumlocke

callumlocke/iframe sandboxing notes.md

Last active September 21, 2024 13:54
Show Gist options
  • Save callumlocke/73581c028de25971f99a8f04a0887224 to your computer and use it in GitHub Desktop.
Save callumlocke/73581c028de25971f99a8f04a0887224 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iframe sandboxing notes.md

General notes

  • The iframe sandbox attribute has been fully supported by all major browsers since 2014 (caniuse)

How to run user-submitted code

Best practice for running user-submitted code in iframes (a la CodeSandbox, ObservableHQ, etc.) is:

  • Use the sandbox attribute
  • Use the allow-* values to whitelist things that are needed & safe.
  • Run the iframed content in a unique subdomain per user account (or narrower). ObservableHQ does this.
  • DNS config: add a wildcard subdomain to point to your server: *.static.foousercontent.com. 3600 IN A YOUR_SERVER_IP
    • (Observable's is USERNAME.static.observableusercontent.com - not sure what the non-static part might be for, but w/e)
    • Ensure the wildcard subdomain is covered by your SSL/TLS certificate (LetsEncrypt does this)
    • Configure web server to accept requests for any subdomain.
  • App logic: Just examine the subdomain and handle as appropriate. If it's not a user that exists, return a 404. If it is, check they are an authenticated user with access (e.g. as the user specified by the subdomain, or a superuser or other user with access) and return the response.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment