Sandboxing the dweb

Sandboxing content generated within a page

Goal: We want to load arbitrary and untrusted html/css/js into an iframe. We want protection from spectre et. al. attacks and also from javascript execution escaping from the confines of the iframe

Scenario: With an E2E encrypted web application, html/css/js resources are decrypted locally. We want to display them inside a sandboxed iframe.

This POC demonstrates how we envisaged this working:

Limitation of POC: Relies on WriteableStream in ServiceWorkers. This has been available in Chrome for some time. As of Dec 2019 it is available, but not enabled in Firefox nightly (about:config Javascript.options.writable_streams)

Note: Firefox nightly helpfully provides the following message: 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.'

Problem: It is not possible to intercept requests inside iframe unless sandbox attribute contains allow-same-origin

References: Issue #1390 Issue #1437 Issue #765

iframe sandbox attribute:allow-same-origin