https://github.com/janniks/iframe-csp-tester
https://github.com/janniks/iframe-csp-tester
Last synced: 3 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/janniks/iframe-csp-tester
- Owner: janniks
- Created: 2023-09-26T14:20:43.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-09-26T14:45:26.000Z (over 2 years ago)
- Last Synced: 2025-04-08T13:32:43.811Z (about 1 year ago)
- Language: HTML
- Size: 16.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# iframe-tester
`npm install`
`npx serve main` (Main Site/Extension) http://localhost:3000
`npx nodemon server.js` (API/Server) http://localhost:3001
## Goals
- stop cross frame communication
- stop arbitrary network requests (only recursive requests to the same domain)
- stop top level navigation (changing main url)
- stop clickjacking?
- allow scripts (for animation)
- allow stylesheets
- allow nesting
## Measures
- API CSP:
- `"default-src 'unsafe-inline' data: blob: http://api.hiro.so;"`, which only inline content or recursive API calls
- Note: Is `data:` unsafe for our use-case?
- Ideally the hostname would be specific enough to not cover other products.
- iframe props:
```
sandbox="allow-scripts"
referrerpolicy="no-referrer"
credentialless
```
- `sandbox` disables most dangerous features, but we explicitly allow scripts
- `referrerpolicy` prevents the iframe from sending the referrer header (unclear if needed in combination with CSP)
- `credentialless` runs the iframe in an ephemeral frame (experimental feature with little support)