Clients get annoyed that we block this by default but we don cfml #water-cooler

Join Slack

Clients get annoyed that we block this by default,...

# water-cooler

nickg

01/28/2022, 8:00 PM

Clients get annoyed that we block this by default, but we don't want to open up un-necessary security holes

Adam Cameron

01/28/2022, 8:13 PM

Would they still be annoyed when you explain to them it's a penetration vector, and they probably don't want that sort of risk? Then offer them a safer way of adding these widgets to their content? What that might be? Not sure.

ryan

01/28/2022, 8:32 PM

Maybe you can use the object or embed tags instead of iframes. https://www.delftstack.com/howto/html/iframe-alternative/#:~:text=Use%20the%20object%20Tag%20as%20an%20Alternative%20to%20Iframe%20in%20HTML,-We%20can%20use&text=The%20object%20tag%20is%20an,the%20webpage%20to%20be%20embedded.

nickg

01/28/2022, 9:21 PM

@Adam Cameron you are on the case as always! thanks! I thought you were going to tell me that it's all been resolved by the internet. I see people using iframes for all sorts of stuff like maps and video widgets. Apparently not.

nickg

01/28/2022, 9:22 PM

@ryan we could definitely use embed or maybe even object. For some reason I thought that those were like iframes in terms of security risk

nickg

01/28/2022, 9:29 PM

@ryan it looks like youtube uses embed - perhaps we should try to allow embed tags from youtube, and various trusted sites, but not from other sources.

ryan

01/28/2022, 9:38 PM

reading further about embed tags and object tags, it appears that embed tags are deprecated.

nickg

01/28/2022, 9:38 PM

@ryan yes, noticing that as well

ryan

01/28/2022, 9:39 PM

https://www.dofactory.com/html/object

ryan

01/28/2022, 9:39 PM

https://www.geeksforgeeks.org/html-deprecated-tags/

nickg

01/28/2022, 9:39 PM

but youtube definitely uses this stuff - iframes i think. so presumably that's a safe source and coule be whitelisted

nickg

01/28/2022, 9:40 PM

I'm thinking maybe it's time to focus on a content security policy

ryan

01/28/2022, 9:40 PM

I think iframes are still a security risk to cross-site attacks

nickg

01/28/2022, 9:42 PM

I assume that if we leave the web editor open to accepting iframes, that would be a problem since someone on the client end could submit bad code to the db / site. But, if we could limit it to just, say, iframes from youtube or google maps, but block others, that might be a way to do it.

nickg

01/28/2022, 9:43 PM

it looks like the content security concept has that whitelist built in: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

ryan

01/28/2022, 9:46 PM

You probably can still use iframes, actually. New attributes were added to iframe last year. https://www.thoughtco.com/html5-attributes-iframe-element-3468668

nickg

01/28/2022, 9:47 PM

very cool. i did not know that.

neokoenig

01/29/2022, 10:46 AM

We use a shortcode to allow for user entry rather than cut and paste. i.e [youtube url = "foo"] and then can control how it's rendered. bit more fiddly for end user, but it also means you can update the embed code centrally, and control its output.

Adam Cameron

01/29/2022, 10:59 AM

You could even add a button to the rich-txt editor to have a UI element to get the user's URL, and then insert the shortcode, yeah?

🤘🏼 1

neokoenig

01/29/2022, 11:03 AM

Oh sure; we actually use vueJS to render a preview serverside and add a custom widget etc, but the principle was more of providing an abstraction layer to the embed code whilst stored within RTE html

✅ 1

Adam Cameron

01/29/2022, 11:07 AM

Sorry, I should have said "one" not "you" then.

😃 1

nickg

01/30/2022, 6:20 AM

@neokoenig So, you are saying that by using shortcodes and then having a specific whitelist of safe sources (e.g. you tube, google maps, etc.) you can basically filter out unknown embed or iframe sources that way?

neokoenig

01/30/2022, 9:19 AM

I've pm'd you

4 Views

Open in Slack

Previous Next