Security Issues for allowing users to add own JavaScript to your site?

by

Yes you could use HTML5 Sandbox to only load user scripts in an IFrame.

You should only host user content from a different domain than your main site. This will prevent any XSS attack if an attacker convinces a user to visit the page directly (outside of the sandbox). e.g. if your site is www.example.com you could use the following code to display the sandboxed IFrame (note .org rather than .com, which is an entirely different domain):

<iframe src="https://www.example.org/show_user_script.aspx?id=123" sandbox="allow-scripts"></iframe>

This will allow scripts, but forms and navigation outside of the IFrame will be prevented. Note that this approach could still risk a user hosting a phishing form to capture credentials. You should make sure that the boundaries between your site and the user content are clear within the user interface. Even though we haven’t specified allow-forms, this only prevents a form from being submitted directly, it does not prevent form elements and JavaScript event handlers from sending any data to an external domain.

The HTML5 Security Cheat Sheet guidance on OWASP states this is the purpose of the sandbox:

Use the sandbox attribute of an iframe for untrusted content

You should test whether sandbox is supported first, before rendering the IFrame:

<iframe src="https://stackoverflow.com/blank.htm" sandbox="allow-scripts" id="foo"></iframe>

var sandboxSupported = "sandbox" in document.createElement("iframe");

if (sandboxSupported) {
    document.getElementById('foo').setAttribute('src', 'https://www.example.org/show_user_script.aspx?id=123');
}
else
{
    // Not safe to display IFrame
}

It is safer to do it this way by dynamically changing the src rather than redirecting away if sandboxSupported is false because then the iframe will not accidentally be rendered if the redirect doesn’t happen in time.

As a simpler alternative, without the need to check whether the sandbox is supported, you can use the srcdoc IFrame attribute to generate the sandboxed content, making sure that all content is HTML encoded:

e.g.
<html><head></head><body>This could be unsafe</body></html>

would be rendered as

<iframe srcdoc="&lt;html&gt;&lt;head&gt;&lt;/head&gt;&lt;body&gt;This could be unsafe&lt;/body&gt;&lt;/html&gt;" sandbox="allow-scripts"></iframe>

Or you could construct a data blob object, being careful to HTML encode again:

<body data-userdoc="&lt;html&gt;&lt;head&gt;&lt;/head&gt;&lt;body&gt;This could be unsafe&lt;/body&gt;&lt;/html&gt;">

<script>
var unsafeDoc = new Blob([document.body.dataset.userdoc], {type: 'text/html'});

var iframe = document.createElement('iframe');
iframe.src = window.URL.createObjectURL(unsafeDoc);
iframe.sandbox = 'allow-scripts';
</script>

Of course you could also set the unsafeDoc variable from a JSON data source. It is not recommended to load an HTML file, as this has the same problem of it having to be from an external domain, as the attacker could just entice the user to load that directly.

Also, please don’t be tempted to write user content into a script block directly. As shown above, data attributes is the safe way to do this, as long as correct HTML encoding is carried out on the user data as it is output server-side.

In these cases you can leave src as blank.html as older browsers that do not support srcdoc will simply load that URL.

As @Snowburnt touches upon, there is nothing stopping a user script from redirecting a user to a site where a drive-by download occurs, but this approach, assuming a user is up to date on patches, and there are no zero day vulnerabilities, this is a safe approach because it protects its end users and their data on your site via the same origin policy.

More Related Contents:

  1. Why does Google prepend while(1); to their JSON responses?
  2. Why is using the JavaScript eval function a bad idea?
  3. SecurityError: Blocked a frame with origin from accessing a cross-origin frame
  4. JavaScript: client-side vs. server-side validation
  5. Sanitize/Rewrite HTML on the Client Side
  6. How does Content Security Policy (CSP) work?
  7. Detecting if a browser is using Private Browsing mode
  8. How to read a HttpOnly cookie using JavaScript
  9. What are “top level JSON arrays” and why are they a security risk?
  10. Where to save a JWT in a browser-based application and how to use it
  11. Is JSON Hijacking still an issue in modern browsers?
  12. Cross-site AJAX requests
  13. What good ways are there to prevent cheating in JavaScript multiplayer games?
  14. Is Javascript eval() so dangerous? [duplicate]
  15. Secure distribution of NodeJS applications
  16. JSON security best practices?
  17. How to prevent direct access to my JSON service?
  18. How to prevent html/JavaScript code modification
  19. CSRF protection with CORS Origin header vs. CSRF token
  20. Safe value must use [property]=binding after bypass security with DomSanitizer
  21. Why does Google prepend while(1); to their JSON responses?
  22. Check if a file exists locally using JavaScript only
  23. Web application access user’s file system
  24. How to secure the JavaScript API Access Token?
  25. Disable drop paste in HTML input fields? [duplicate]
  26. How to send secure AJAX requests with PHP and jQuery
  27. What makes an input vulnerable to XSS?
  28. Get height of iframe with external URL
  29. Javascript – key / certificate from USB Token
  30. Embedding youtube video “Refused to display document because display forbidden by X-Frame-Options”

Leave a Comment