@simon <iframe sandbox> is useful here. You can even allow JavaScript but have it run in an opaque origin.
Top-level
@simon <iframe sandbox> is useful here. You can even allow JavaScript but have it run in an opaque origin. 6 comments
@simon the table at the bottom of https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe is decent @jaffathecake it's the best I've seen but it still leaves me with so many questions... how good is browser support for each of those allowX things? What do browser security experts advise in terms of using them? I'm really paranoid :/ @simon the browser support for the various allow features is in the table at the end of the page @simon @jaffathecake if you just want the SVG displayed, put them in an <img> tag. Otherwise, your favorite sanitizer library DOMPurify has great SVG support. (Iframe sandbox works really great too!!) |
@jaffathecake I'm desperately keen on learning the true ins and outs of that, but I've found detailed documentation (including browser support) on all of the options you can stuff in that sandbox attribute frustratingly difficult to locate