Iframe's srcDoc allow arbitrary scripts which can result in unsafe packages published

[joakin]

Using iframes and srcDoc adding a random script tag to your application, from which you can access the parent window and do anything you want.

You could publish a package that looked like a safe Html element and under the hood be doing pretty much anything with JS.

https://ellie-app.com/kfNPH9Y2qvqa1

module Main exposing (main)

import Html
import Html.Attributes


main =
    Html.iframe
        [ Html.Attributes.srcdoc """
        <body><script>
        alert('Hello from the iFrame')
        window.parent.document.body.innerHTML = 'XSS in Elm packages?'
        </script></body>
        """
        ]
        []

[joakin]

There could be a couple of solutions:

1. Html.Attributes.sandbox* should probably be removed and in the virtual dom enforced to be present and empty in any iframe elements <iframe sandbox=""> so that all security restrictions apply and aren't overwritten by a random Html.Attributes.attribute.

2. The sandbox(mdn) attribute takes an allow-list of attributes that reduce the safety of the sandbox, so could definitely sanitize the attribute string to never contain "allow-scripts" for example, and if not present add it with some defaults for safety.

Both a bit tricky, 1) is a breaking change removing the attribute, and 2) is an implicit breaking change, the API doesn't change but the behavior of iframes does change and could break production apps that used iframes that contained scripts or other problematic elements for the package manager safety.