Table of contents
Security Restrictions
Sandbox iFrame
The iFrame element has a risk element involved if the site embedded is on an hostile site. Fortunately, GEVME Virtual renders an iFrame with sandbox restrictions by default to apply extra restrictions to the content in the frame.
In GEVME Virtual, the default iFrame attributes used are as such:
<iframe
src="${src}"
sandbox="allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-downloads allow-modals allow-presentation allow-same-origin"
allow="camera *; microphone *; accelerometer; magnetometer; autoplay; encrypted-media; gyroscope; geolocation; picture-in-picture; xr-spatial-tracking; webvr; vr; webxr; xr" allowfullscreen=""
seamless=""
loading="lazy"
frameborder="0"
style="width: 100%; height: 100%;">
</iframe>
src
The URL of the page to embed. Use a value of about:blank to embed an empty page that conforms to the same-origin policy. Also note that programmatically removing an <iframe>
’s src attribute (e.g. via Element.removeAttribute()) causes about:blank to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.
sandbox
Attribute | Description |
---|---|
allow-scripts | Lets the resource run scripts (but not create popup windows). |
allow-forms | Allows the resource to submit forms. If this keyword is not used, form submission is blocked. |
allow-popups | Allows popups (such as window.open(), target=”_blank”, or showModalDialog()). If this keyword is not used, the popup will silently fail to open. |
allow-popups-to-escape-sandbox | Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to. |
allow-top-navigation-by-user-activation | Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture. |
allow-downloads | Allows for downloads to occur with a gesture from the user. |
allow-modals | Lets the resource open modal windows. |
allow-presentation | Lets the resource start a presentation session. |
allow-same-origin | If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs). |
You may find the full attributes of sandbox iFrame here.
allow
Specifies a feature policy for the <iframe>
. The policy defines what features are available to the <iframe>
based on the origin of the request (e.g. access to the microphone, camera, battery, web-share API, etc.).
For more information and examples see: Using Feature Policy > The iframe allow attribute.
allowFullScreen
Set to true if the <iframe> can activate fullscreen mode by calling the requestFullscreen() method.
loading
Indicates how the browser should load the iframe:
- eager: Load the iframe immediately, regardless if it is outside the visible viewport (this is the default value).
- lazy: Defer loading of the iframe until it reaches a calculated distance from the viewport, as defined by the browser.
frameBorder
The value 1 (the default) draws a border around this frame. The value 0 removes the border around this frame, but you should instead use the CSS property border to control <iframe>
borders.
Immutable window.GEVME object
To reduce the possibility of synchronization issues and making the application thread-safe, the window.GEVME object is made immutable once it is initialized by using Object.freeze(window.GEVME)
.
CSP Policy
Introduction
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
CSP is designed to be fully backward compatible (except CSP version 2 where there are some explicitly-mentioned inconsistencies in backward compatibility; more details here). Browsers that don’t support it still work with servers that implement it, and vice-versa: browsers that don’t support CSP ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn’t offer the CSP header, browsers likewise use the standard same-origin policy.
CSP Attributes
You may refer to the full CSP Attributes here.
Attributes | Description |
---|---|
none | Refers to the empty set; that is, no URLs match. The single quotes are required. |
self | Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute. |
<host-source> | Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site’s address may include an optional leading wildcard (the asterisk character, ‘’), and you may use a wildcard (again, ‘’) as the port number, indicating that all legal ports are valid for the source. |
Supported CSP policies
CSP policy | Default Attribute | Policy Description |
---|---|---|
default-src | none | The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. |
manifest-src | self | The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution. |
navigate-to | self | The HTTP Content-Security-Policy (CSP) navigate-to directive restricts the URLs to which a document can initiate navigations by any means including <form> (if form-action is not specified), <a> , window.location, window.open, etc. This is an enforcement on what navigations this document initiates not on what this document is allowed to navigate to. |
form-action | self | The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of a form submissions from a given context. |
frame-src | The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe> . | |
frame-ancestors | self | The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame> , <iframe> , <object> , <embed> , or <applet> . Setting this directive to ‘none’ is similar to X-Frame-Options: deny (which is also supported in older browsers). |
object-src | The HTTP Content-Security-Policy object-src directive specifies valid sources for the <object> , <embed> , and <applet> elements. To set allowed types for <object> , <embed> , and <applet> elements, use the plugin-types directive. Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren’t receiving new standardized features (such as the security attributes sandbox or allow for <iframe> ). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src ‘none’ if possible). | |
child-src | self | The HTTP Content-Security-Policy (CSP) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> . For workers, non-compliant requests are treated as fatal network errors by the user agent. |
worker-src | self | The HTTP Content-Security-Policy (CSP) worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. |
img-src | The HTTP Content-Security-Policy img-src directive specifies valid sources of images and favicons. | |
media-src | The HTTP Content-Security-Policy (CSP) media-src directive specifies valid sources for loading media using the <audio> and <video> elements. | |
style-src | self blob: ‘unsafe-inline’ ‘unsafe-eval’ fonts.google.com fonts.gstatic.com fonts.googleapis.com unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com | The HTTP Content-Security-Policy (CSP) style-src directive specifies valid sources for stylesheets. |
font-src | self data: blob: fonts.google.com fonts.gstatic.com fonts.googleapis.com unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com | The HTTP Content-Security-Policy (CSP) font-src directive specifies valid sources for fonts loaded using @font-face. |
script-src | self blob: ‘unsafe-inline’ ‘unsafe-eval’ unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com | The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution. |
connect-src | self | The HTTP Content-Security-Policy (CSP) connect-src directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are: <a> ping, WindowOrWorkerGlobalScope.fetch, XMLHttpRequest, WebSocket, EventSource, and Navigator.sendBeacon(). |
upgrade-insecure-requests | The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten. The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP. The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks. |
Block External Network Request
In GEVME, any network (HTTP) request made to external sites are blocked by default. Eg: fetch("https://www.google.com/)
will throw an error. Any necessary request to access an external site needs to be made to GEVME admin.