It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×42,856

question asked: Jun 12 '08, 11:46 a.m.
question was seen: 4,750 times
last updated: Mar 18 '14, 7:37 p.m.

Related questions

Dashboard possible Security issue

0
Umberto Ghio (2121) | asked Jun 12 '08, 11:46 a.m.
Hello,
in RTC dashboard is not possible to add Javascript for security reasons, however, it is possible to emmbedd iFrames with all sort of Javascript, Java and Flash inside.

You can try by adding an HTML ViewLet with the following code: 

<div style="margin:5px">

  <iframe src="http://www.google.com" align="middle" width="409" height="400" frameborder="0" marginheight="0" scrolling="auto">Sorry, your browser doesn't support this feature.</iframe>

</div>

to have a working google page.

but you can also add pages containing full Java applications: 


<div style="margin:5px">

  <iframe src="http://www.schubart.net/rc/" align="middle" width="409" height="400" frameborder="0" marginheight="0" scrolling="auto">Sorry, your browser doesn't support this feature.</iframe>

</div>


and even Full Screen Flash presentations (it's a joke, press ESC to close) 


<div style="margin:5px">

   <object style="visibility: visible;" id="swf3ded1" data="http://www.bunnyhero.org/static/faketest/fullscreen test 1.swf" type="application/x-shockwave-flash" width="200" height="50"><param value="window" name="wmode"><param value="true" name="menu"><param value="autohigh" name="quality"><param value="#FFFFFF" name="bgcolor"><param value="true" name="allowFullScreen"></object>

</div>


Doesn't this poses a security concern?
Why disabling JavaScript but leaving iFrame?

Thanks
Umberto

8 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Curtis d'Entremont (1.3k3) | answered Jun 12 '08, 3:04 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
Hi Umberto,

From what I've seen and read, browsers are quite good when it comes to iframe security. With the same-origin policy in place, the browser will not let the script in the iframe reach out and do anything to the outer window unless it's from the same host.

If you can find any specific vulnerabilities, please e-mail me directly at curtispd@ca.ibm.com (rather than exposing a vulnerability here).

Thanks,
Curtis
0
permanent link
Jorge Diaz (8664434) | answered Jul 21 '11, 12:33 p.m.
JAZZ DEVELOPER
Hi,

does anybody know about changes on this respect? Umberto, in RTC 3.0.1 it seems your examples doesn't work anymore for html viewlet.

Thanks!

Regards,

Jorge.
0
permanent link
Umberto Ghio (2121) | answered Jul 22 '11, 7:22 a.m.
Hi,

does anybody know about changes on this respect? Umberto, in RTC 3.0.1 it seems your examples doesn't work anymore for html viewlet.

Thanks!

Regards,

Jorge.


Hi Jorge,
to my experience it seems that iframe and scripts has been removed from the Dashboard in version 2.0.x, but I was unable to find any work item related to this change.
My dashboard was relying on iframes to display a lot of information from other locations.

Regards,
0
permanent link
Curtis d'Entremont (1.3k3) | answered Jul 26 '11, 11:16 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
In 3.0.1 there is a new viewlet, External Content, which you can use to embed outside pages on your dashboards (it uses an iframe internally to show the content). It can be configured with the URL, height, and refresh interval.
0
permanent link
Jorge Diaz (8664434) | answered Jul 26 '11, 11:21 a.m.
JAZZ DEVELOPER
Hello Curtis,

that will embed the actual content into the viewlet but, if any jscript is needed, then we would have to create our own custom viewlet, right?

Thanks in advance for your help.

Regards,

Jorge.
0
permanent link
Curtis d'Entremont (1.3k3) | answered Jul 26 '11, 11:31 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
You can run any javascript in your HTML page inside the iframe, but not outside the iframe on the dashboard page. So if you need to construct or manage an iframe in a custom way, you would need to write a custom viewlet/gadget.
0
permanent link
Daniel Reilly (1431620) | answered May 15 '12, 8:08 p.m.
If iframe can be used in the new External Content viewlet, why not enable it in Headlines and HTML and make life a little easier for us users out here. I would like to use Headlines but I need a way to externalize the data (html) and iframes would be the perfect solution, except I can't use it. I would like to avoid writing a custom viewlet just for this, but it looks like there is no alternative. Say it ain't so Joe.
0
permanent link
Curtis d'Entremont (1.3k3) | answered May 16 '12, 1:37 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
The original motivation for restricting iframes to the external content viewlet was to hook up to the server whitelist for security. However since then we have abandoned this due to poor usability and that it could inadvertently decrease security by whitelisting entire domains for all components.

Nevertheless, it still provides better security because it's always visible and apparent (no hidden iframes making secret requests), and provides a single point of entry for URL validation to filter out javascript URLs, etc.

Would it be possible to put all the content in the iframe's page rather than having a mixture of static and iframed content? Or perhaps if you put two adjacent viewlets (one headlines, one external content) with no trim they can show the content in a more presentable way?
Comments
Daniel Reilly commented Mar 18 '14, 7:37 p.m.

This has come up again today.  What we would like to do is to externalize the content of the headlines dashboard widget so that we do not have to give project dashboard authority to someone just to update a headline.  We could do this with iframes, just give each page of the headlines a static url to load, but we need iframe to work.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.