I run a site that displays user-generated SVGs. They are untrusted, so they need to be sandboxed.
I currently embed these SVGs using <object>
elements. (Unlike <img>
, this allows loading external fonts. And unlike using an <iframe>
, the <object>
resizes to the SVG's content size. See this discussion.)
However, I don't know whether these SVGs are appropriately sandboxed when using <object>
. The <iframe>
permissions model is fairly clear, e.g. <iframe sandbox="allow-scripts">
disallows everything except running scripts. But what is the sandbox/permission model for <object>
elements?
- When I embed a page using
<object>
, what can that page do by default? E.g. what cookies can it access? Is it the same as an<iframe>
without thesandbox
attribute? - What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on
foobarusercontent.com
? - Does the
<object>
tag support an equivalent of thesandbox
attribute? Is there another way to set permissions for an<object>
? - What specifications describe the security model for
<object>
?
CodePudding user response:
When I embed a page using
<object>
, what can that page do by default? E.g. what cookies can it access? Is it the same as an<iframe>
without the sandbox attribute?
Yes (at least in some browsers). The object can access the cookies that are on the same origin that it is included from (but not the origin that includes it).
You can test this with a an svg file:
<svg xmlns="http://www.w3.org/2000/svg" width="400" height="110">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script>alert(document.cookie)</script>
</svg>
which you can include:
<script>document.cookie="test=test";</script>
<object data=./x.svg></object>
This will work in firefox (but not in Chrome, which apparently blocks JavaScript in objects; though I'm not sure if this behavior is documented, and I wouldn't rely on it for security purposes).
If the data
attribute references a different domain, you won't be able to access the cookies of the embedding page (via top
or parent
; at least in firefox).
What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on
foobarusercontent.com
?
Yes, that would restrict the users actions to the origin foobarusercontent.com
(which may or may not be appropriate for your use).
Does the
<object>
tag support an equivalent of the sandbox attribute? Is there another way to set permissions for an<object>
?
Not as far as I am aware (see also mozilla, which doesn't list any relevant tags).
What specifications describe the security model for
<object>
?
I am unaware of a standard for this. Because of this, I would be very careful when embedding user-supplied data into an object
. Hosting the data on a designated domain is a good idea. Parsing the data and filtering malicious (javascript-related) tags and attributes would also be good (if acceptable). Do ensure that it is acceptable that users can run JavaScript on that domain (ie no auth cookies; I also wouldn't allow uploading of .js files to the domain, as it would allow installation of serviceworkers, which would allow an attacker to log URLs users visit, and thus possibly disclose (private) files hosted on the domain).
CodePudding user response:
Looking at the html specifications it doesn't seem like it's possible to set a sandbox attribute.
Here's some examples of how object might be used.
According to Mozilla, adding a sandbox attribute object was discussed at some point on whatwg's mailing list.
Reference to discussion mention
It seems the iframe tag has existed since May 2008 according to this. I've been looking through the mailing list from that date but I haven't found that discussion about object sandboxing yet.
Here's the mailing list thats been archived.
I think for any further information you should consider chatting with WhatWG right here.