Web Content addon and security

The web content addon uses an iframe to display external web content in your board, and the security is our main concerns when adding such feature.

 

Here are the known security threats related to iframe, and what we did to prevent them are the following:

  1. Clickjacking: by default, we block interaction with the iframe content, so the user will not be able to click on anything inside the iframe. In case the interaction is actived, users have to use the content with the same caution than any web browsing session.
  2. Cross-frame scripting (XFS): this risk is not related to the web content addon. It is a risk when iObeya is integrated in an iframe.
    We use Content-Security-Policy: frame-ancestors to make sure iObeya cannot be integrated in a malicious website that would allow cross-frame-scripting
  3. Cross-site-scripting (XSS), iframe phishing and iframe injection: we enforce sandbox on all iframe to block the iframe to trigger top-level navigation
  4. Dialog box threats: we enforce sandbox on all iframe to block the iframe to open dialog box.
  5. Shadow downloads: we enforce sandbox on all iframe to block the iframe to start any download.

Since version 4.22, you also have the possibility to use a whitelist to allow specific domains only: more information here

Web Content
Views: 103