'What sandbox does an <object> element run in? Can this sandbox be configured?
I run a site that displays user-generated SVGs. They are untrusted, so they need to be sandboxed.
I currently embed these SVGs using <object> elements. (Unlike <img>, this allows loading external fonts. And unlike using an <iframe>, the <object> resizes to the SVG's content size. See this discussion.)
However, I don't know whether these SVGs are appropriately sandboxed when using <object>. The <iframe> permissions model is fairly clear, e.g. <iframe sandbox="allow-scripts"> disallows everything except running scripts. But what is the sandbox/permission model for <object> elements?
- When I embed a page using
<object>, what can that page do by default? E.g. what cookies can it access? Is it the same as an<iframe>without thesandboxattribute? - What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on
foobarusercontent.com? - Does the
<object>tag support an equivalent of thesandboxattribute? Is there another way to set permissions for an<object>? - What specifications describe the security model for
<object>?
Solution 1:[1]
Looking at the html specifications it doesn't seem like it's possible to set a sandbox attribute.
Here's some examples of how object might be used.
According to Mozilla, adding a sandbox attribute object was discussed at some point on whatwg's mailing list.
Reference to discussion mention
It seems the iframe tag has existed since May 2008 according to this. I've been looking through the mailing list from that date but I haven't found that discussion about object sandboxing yet.
Here's the mailing list thats been archived.
I think for any further information you should consider chatting with WhatWG right here.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | SpyderCoder |