On Wed, Jan 31, 2024 at 10:18 AM Tim Moody <[email protected]> wrote:
> Discussions as to the security of iframes are ongoing, such as > https://phabricator.wikimedia.org/T222807 and a number of others. > > It is time to resolve this once and for all. How can we adjudicate this > question and say definitively that iframes mitigate the security risk of > running Javascript in the user's browser if certain specified requirements > are met? > The iframe sandboxing + enforcing CSP approach described in T222807 would reduce the risk of running potentially dangerous javascript within a user's browser, but not eliminate the risk entirely. Unfortunately there have been some related performance issues in exploring this approach (see: https://phabricator.wikimedia.org/T169027#9342985) as well as some criticism regarding whether or not this approach is in line with the Wikimedia movement's values (see: https://phabricator.wikimedia.org/T169027#9362252) -- Scott Bassett [email protected]
_______________________________________________ Wikimedia-l mailing list -- [email protected], guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l Public archives at https://lists.wikimedia.org/hyperkitty/list/[email protected]/message/XNIBXNEUWJOMHF4DU3LJ3LULDD5QPHHI/ To unsubscribe send an email to [email protected]
