Goal: We want to load arbitrary and untrusted html/css/js into an iframe. We want protection from spectre et. al. attacks and also from javascript execution escaping from the confines of the iframe
Scenario: With an E2E encrypted web application, html/css/js resources are decrypted locally. We want to display them inside a sandboxed iframe.
This POC demonstrates how we envisaged this working:
Limitation of POC: Relies on WriteableStream in ServiceWorkers. This has been available in Chrome for some time. As of Dec 2019 it is available, but not enabled in Firefox nightly (about:config Javascript.options.writable_streams)
Note: Firefox nightly helpfully provides the following message: 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.'
Problem: It is not possible to intercept requests inside iframe unless sandbox attribute contains allow-same-origin
References: Issue #1390 Issue #1437 Issue #765
iframe sandbox attribute:allow-same-origin