2

I run a site that displays user-generated SVGs. They are untrusted, so they need to be sandboxed.

I currently embed these SVGs using <object> elements. (Unlike <img>, this allows loading external fonts. And unlike using an <iframe>, the <object> resizes to the SVG's content size. See this discussion.)

However, I don't know whether these SVGs are appropriately sandboxed when using <object>. The <iframe> permissions model is fairly clear, e.g. <iframe sandbox="allow-scripts"> disallows everything except running scripts. But what is the sandbox/permission model for <object> elements?

  • When I embed a page using <object>, what can that page do by default? E.g. what cookies can it access? Is it the same as an <iframe> without the sandbox attribute?
  • What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on foobarusercontent.com?
  • Does the <object> tag support an equivalent of the sandbox attribute? Is there another way to set permissions for an <object>?
  • What specifications describe the security model for <object>?
jameshfisher
  • 34,029
  • 31
  • 121
  • 167

2 Answers2

1

Looking at the html specifications it doesn't seem like it's possible to set a sandbox attribute.

HTML Specifications

Here's some examples of how object might be used.

Examples

According to Mozilla, adding a sandbox attribute object was discussed at some point on whatwg's mailing list.

Reference to discussion mention

It seems the iframe tag has existed since May 2008 according to this. I've been looking through the mailing list from that date but I haven't found that discussion about object sandboxing yet.

iframe added discussion

Here's the mailing list thats been archived.

whatwg mailing list archive

I think for any further information you should consider chatting with WhatWG right here.

WhatWG Chat

SpyderCoder
  • 99
  • 6
  • Thanks. This line is interesting: "implementing @sandbox on - this was discussed on the whatwg list, currently we don't want to do this, since the meaning of sandbox on is confusing - it would apply in some contexts and not others". I assume they mean because `` can also be used for PDFs, videos, etc. In the absence of specification, I can only think to open bugs on Chromium/Firefox, asking for an implementation-level description of the sandbox. – jameshfisher Mar 03 '22 at 11:47
1

When I embed a page using <object>, what can that page do by default? E.g. what cookies can it access? Is it the same as an <iframe> without the sandbox attribute?

Yes (at least in some browsers). The object can access the cookies that are on the same origin that it is included from (but not the origin that includes it).

You can test this with a an svg file:

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="110">
  <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
  <script>alert(document.cookie)</script>
</svg>

which you can include:

<script>document.cookie="test=test";</script>
<object data=./x.svg></object>

This will work in firefox (but not in Chrome, which apparently blocks JavaScript in objects; though I'm not sure if this behavior is documented, and I wouldn't rely on it for security purposes).

If the data attribute references a different domain, you won't be able to access the cookies of the embedding page (via top or parent; at least in firefox).

What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on foobarusercontent.com?

Yes, that would restrict the users actions to the origin foobarusercontent.com (which may or may not be appropriate for your use).

Does the <object> tag support an equivalent of the sandbox attribute? Is there another way to set permissions for an <object>?

Not as far as I am aware (see also mozilla, which doesn't list any relevant tags).

What specifications describe the security model for <object>?

I am unaware of a standard for this. Because of this, I would be very careful when embedding user-supplied data into an object. Hosting the data on a designated domain is a good idea. Parsing the data and filtering malicious (javascript-related) tags and attributes would also be good (if acceptable). Do ensure that it is acceptable that users can run JavaScript on that domain (ie no auth cookies; I also wouldn't allow uploading of .js files to the domain, as it would allow installation of serviceworkers, which would allow an attacker to log URLs users visit, and thus possibly disclose (private) files hosted on the domain).

tim
  • 1,999
  • 17
  • 32