Dashboard possible Security issue
Hello,
in RTC dashboard is not possible to add Javascript for security reasons, however, it is possible to emmbedd iFrames with all sort of Javascript, Java and Flash inside.
You can try by adding an HTML ViewLet with the following code:
to have a working google page.
but you can also add pages containing full Java applications:
and even Full Screen Flash presentations (it's a joke, press ESC to close)
Doesn't this poses a security concern?
Why disabling JavaScript but leaving iFrame?
Thanks
Umberto
in RTC dashboard is not possible to add Javascript for security reasons, however, it is possible to emmbedd iFrames with all sort of Javascript, Java and Flash inside.
You can try by adding an HTML ViewLet with the following code:
<div style="margin:5px">
<iframe src="http://www.google.com" align="middle" width="409" height="400" frameborder="0" marginheight="0" scrolling="auto">Sorry, your browser doesn't support this feature.</iframe>
</div>
to have a working google page.
but you can also add pages containing full Java applications:
<div style="margin:5px">
<iframe src="http://www.schubart.net/rc/" align="middle" width="409" height="400" frameborder="0" marginheight="0" scrolling="auto">Sorry, your browser doesn't support this feature.</iframe>
</div>
and even Full Screen Flash presentations (it's a joke, press ESC to close)
<div style="margin:5px">
<object style="visibility: visible;" id="swf3ded1" data="http://www.bunnyhero.org/static/faketest/fullscreen test 1.swf" type="application/x-shockwave-flash" width="200" height="50"><param value="window" name="wmode"><param value="true" name="menu"><param value="autohigh" name="quality"><param value="#FFFFFF" name="bgcolor"><param value="true" name="allowFullScreen"></object>
</div>
Doesn't this poses a security concern?
Why disabling JavaScript but leaving iFrame?
Thanks
Umberto
8 answers
Hi Umberto,
From what I've seen and read, browsers are quite good when it comes to iframe security. With the same-origin policy in place, the browser will not let the script in the iframe reach out and do anything to the outer window unless it's from the same host.
If you can find any specific vulnerabilities, please e-mail me directly at curtispd@ca.ibm.com (rather than exposing a vulnerability here).
Thanks,
Curtis
From what I've seen and read, browsers are quite good when it comes to iframe security. With the same-origin policy in place, the browser will not let the script in the iframe reach out and do anything to the outer window unless it's from the same host.
If you can find any specific vulnerabilities, please e-mail me directly at curtispd@ca.ibm.com (rather than exposing a vulnerability here).
Thanks,
Curtis
Hi,
does anybody know about changes on this respect? Umberto, in RTC 3.0.1 it seems your examples doesn't work anymore for html viewlet.
Thanks!
Regards,
Jorge.
Hi Jorge,
to my experience it seems that iframe and scripts has been removed from the Dashboard in version 2.0.x, but I was unable to find any work item related to this change.
My dashboard was relying on iframes to display a lot of information from other locations.
Regards,
If iframe can be used in the new External Content viewlet, why not enable it in Headlines and HTML and make life a little easier for us users out here. I would like to use Headlines but I need a way to externalize the data (html) and iframes would be the perfect solution, except I can't use it. I would like to avoid writing a custom viewlet just for this, but it looks like there is no alternative. Say it ain't so Joe.
The original motivation for restricting iframes to the external content viewlet was to hook up to the server whitelist for security. However since then we have abandoned this due to poor usability and that it could inadvertently decrease security by whitelisting entire domains for all components.
Nevertheless, it still provides better security because it's always visible and apparent (no hidden iframes making secret requests), and provides a single point of entry for URL validation to filter out javascript URLs, etc.
Would it be possible to put all the content in the iframe's page rather than having a mixture of static and iframed content? Or perhaps if you put two adjacent viewlets (one headlines, one external content) with no trim they can show the content in a more presentable way?
Nevertheless, it still provides better security because it's always visible and apparent (no hidden iframes making secret requests), and provides a single point of entry for URL validation to filter out javascript URLs, etc.
Would it be possible to put all the content in the iframe's page rather than having a mixture of static and iframed content? Or perhaps if you put two adjacent viewlets (one headlines, one external content) with no trim they can show the content in a more presentable way?
Comments
This has come up again today. What we would like to do is to externalize the content of the headlines dashboard widget so that we do not have to give project dashboard authority to someone just to update a headline. We could do this with iframes, just give each page of the headlines a static url to load, but we need iframe to work.