Make this safe.

[dmadisetti]

We're using iframes. It feels super hacky. Look into implementing sandbox and restricting everything unless *.carolinaignites.org or localhost. Not a major concern, but we should be security conscious

[dmadisetti]

I think this is good enough. There maybe be a way of executing all user js in a hidden iframe though, but may be more trouble than worth.

I'll leave it open, just in case

[dmadisetti]

See dwitter.net

[kmsalah]

From dwitter discord: Hey <@532598911723110421>

We've done a few different things, each helps but we're obviously not completely protected, so we do have active mods that can delete posts.

But the main things (from what I can recall, it's been a while) is:

Dweets are hosted in a separate iframe with the sandbox property set; this already blocks a lot of things like alert() and window redirects.

The iframe source is from a different subdomain from the rest of the page, I don't know if this actually mattered in the end but the idea was for them to be different origins and get some protection from CORS, as we don't allow dweets to load resources from the main page.

And finally just CORS setup so you cant just load an office image from somewhere else

We also do code instrumentation to detect infinite or long loops to avoid a dweet stopping the whole page

[dmadisetti]

So we do sandbox:

editFrame/src/html/index.html

Line 92 in 03ce9b7

<iframe sandbox="allow-same-origin allow-scripts" id="frame" src="./frame.html" allowfullscreen></iframe>

(Same settings as dwitter)

• I think we enforce coors (to double check)

• We don't have a separate subdomain (this is an ignite feature)

• We do not have infinite loop detection

[kmsalah]

more from dwitter discord:
"I depends what you mean by unsafe.
Dwitter does not prevent code from running, anything anyone submits will run, however it does prevent cross frame communication by utilising the iframe sandbox attribute to prevent the code from doing much to the parent, i.e it can't steal your Dwitter cookie. If you inspect the iframe you can see this attirbute:
sandbox="allow-same-origin allow-scripts allow-downloads" It works as an allowed list, everything not included is implicitly not-allowed."