Iframe security with 3rd party content #1145
Replies: 1 comment 3 replies
-
|
Anytime you pull javascript from the outside universe you are creating a
portal that can be dangerous, especially if you do not trust them. I do
have some recommendations though.
Find an alternative that is just data.
Only ship the API endpoints you need with the acceptlist. This will make
unneeded endpoints unavailable.
Create a nonce at startup, place it in a randomly named object in your JS
&& rust and use that in your authorized messages to validate them.
If you are truly paranoid, use the noise protocol.
The latter two are things I will be designing over the coming weeks, so if
you want to have a discussion about them, ping me on discord.
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks, @nothingismagick. I understand that there's only one window, but is there a way to run multiple webviews? |
Beta Was this translation helpful? Give feedback.
-
|
( I'm basically looking for a way to make a web browser with an alternative UI style. I'm concerned that too many iframes would be bad news anyway, if they're all in the same process. ) |
Beta Was this translation helpful? Give feedback.
-
|
Multiple webview windows will be possible with the forthcoming https://github.com/tauri-apps/wry library. |
Beta Was this translation helpful? Give feedback.
-
Is it safe to load 3rd party URLs in iframes?
I guess it would be difficult / impossible for a 3rd party to map your API with the randomization, but is there anything else to worry about?
I need a secure in-app browser context, where there may be many of them open concurrently (and if I use iframes, I need to ignore iframe-options headers), and I would like to lay them out with DOM, like the Chromium
webviewelement. Can I do something like that with Tauri?Beta Was this translation helpful? Give feedback.
All reactions