我有一个看起来像这样的框架: <iframe srcdoc="*insert HTML here*"></iframe> 。
框架中可能有一些javascript,这没关系。
如何防止该帧的内容连接到网络?
这包括: - Javascript的HTTP请求和WebSocket连接等 - CSS中引用的远程资源 - HTML代码中的外部文件
是否有某种沙箱规则来禁用远程连接,还是我必须正则表达所有这些? 如果是这样,在应用正则表达式时应该注意什么?
I have a frame that looks like this: <iframe srcdoc="*insert HTML here*"></iframe>.
The frame may have some javascript in it and that's okay.
How could I prevent the contents of that frame from connecting to the network?
This includes: - Javascript's HTTP requests and WebSocket connections etc - Remote resources referenced in CSS - External files in the HTML code
Is there some kind of sandbox rule to disable remote connections or do I have to regex all of that out? If so, what should I watch out for when applying the regex?
最满意答案
目前还没有可靠的方法来实现这一目标。
sandbox属性无法应用您尝试在此处应用的限制类型。 内容安全策略可以(有一些困难),但目前无法将此类策略可靠地应用于其内容由srcdoc属性设置的<iframe> ,因为无法模拟HTTP标头这样的文件。 实际上,带有srcdoc的iframe只是被视为嵌入它的页面的一部分,并从该页面继承任何Content-Security-Policy!
W3C草案规范“ 内容安全策略:嵌入式实施 ”提出了一个csp属性。 将来,这可能可用于对此类文档应用限制。
但是,在此期间,您可能需要通过沙箱域提供此内容,或重新考虑您的设计。
There is currently no reliable way of accomplishing this.
The sandbox attribute cannot apply the type of restriction you are trying to apply here. A Content-Security-Policy can (with some difficulty), but there is currently no way of reliably applying such a policy to an <iframe> that has its contents set by the srcdoc attribute, as there is no way of simulating HTTP headers for such a document. Indeed, an iframe with srcdoc is simply treated as part of the page which embeds it, and inherits any Content-Security-Policy from that page!
The W3C draft specification "Content Security Policy: Embedded Enforcement" has proposed a csp attribute. In the future, this might be usable to apply restrictions to such a document.
In the meantime, however, you will probably need to serve this content through a sandbox domain, or rethink your design.
更多推荐
发布评论