I would like to allow the iframe tag to be able to paste videos from video sites such as YouTube on a site where users can post articles, but is it dangerous from a security perspective?
If it's dangerous, is there any way to deal with it?
By the way, the site is developed in rails.
Thank you for your cooperation.
ruby ruby-on-rails html5
It's dangerous.
There are cases where iframe is embedded due to malicious tampering such as phishing.
It would be better to develop it as a starting point from a state of awareness that it is dangerous.
At the same time, you can embed videos, and automatically display malicious sites in other people's browsers.
HTML5 allows you to limit the behavior of iframe with the sandbox attribute, but it is possible that the functionality you want to paste will not be realized due to the limited functionality.
Also, if you want to modify the iframe specification for some reason (for example, HTML4 and HTML5 have different attributes), it will be difficult to modify the code that the user has pasted freely.
I think it's best not to let them use it, but if it's absolutely necessary (for example, I only use it within the LAN and among my peers), I just came up with the following two ideas.
Make only the URL and video ID specified
We will check the URL, and if possible, we will check if the site is safe, such as limiting the domain.
It is possible to apply it to the model on the server side.
Basically, if it is a site that can be pasted on the site, we should have a model ready, so it would be safer to use it if possible.(I think they want to do it on various sites more easily and without restrictions.)
Ask user permission
An initial state without automatically embedding is performed only when a user takes an authorization action by showing the source.
Generally, many people think that they don't win bad lotteries, so I think many users will press the playback button without any doubt, so you shouldn't expect any effect.
The execution is left to the user (similar to wiki, etc., saying that the future is an external site).
Allow only URL and video ID to be specified
We will check the URL, and if possible, we will check if the site is safe, such as limiting the domain.
It is possible to apply it to the model on the server side.
Basically, if it is a site that can be pasted on the site, we should have a model ready, so it would be safer to use it if possible.(I think they want to do it on various sites more easily and without restrictions.)
Ask the user for permission
An initial state without automatically embedding is performed only when a user takes an authorization action by showing the source.
Generally, many people think that they don't win bad lotteries, so I think many users will press the playback button without any doubt, so you shouldn't expect any effect.
The execution is left to the user (it is the same as wiki, etc., saying that the future is an external site).
This is the answer to the question of the person in the comment, but in the case of Hatena blog, the information that can be subject to XSS seems to be isolated with iframe.Qiita contains details about the XSS vulnerability -Qiita.(However, it seems that you can do self-XSS on the edit screen...Self-XSS Vulnerability"&'<>\Advent Calendar 2014 (Day 19) -ooooooooooo_q Diary)
)Trustworthy resources such as Youtube and replace only that URL with embedded code (like Wordpress), but it's hard to define reliable resources in the first place.
iframe and if you want to create a secure website,
IPA's How to create a secure website is a good document.
I recommend that you look through it once.
# It's a little off the point of the question, but as a supplement, it's a broader basic education.
© 2024 OneMinuteCode. All rights reserved.