web-component-designer icon indicating copy to clipboard operation
web-component-designer copied to clipboard

Published 20 hours ago verified publisher icon node-projects

XSS protection

Open loganvolkers opened this issue 4 years ago • 1 comments

I noticed that your preview canvas doesn't include the sandbox attribute. This would introduce Cross-Site Scripting (XSS) vulnerabilities. A malicious web component would be able to make requests as the user.

If you use sandbox="allow-scripts" then you'll close that vulnerability, but it also means redesigning your previous solution to use postMessage for cross-domain communication.

loganvolkers avatar Jul 03 '21 01:07 loganvolkers

where shoudl we use this? The sandbox attribute is for iframes, we don't use an iframe at the moment

jogibear9988 avatar Jul 17 '21 09:07 jogibear9988