šŸ„‹

Security Restrictions

Sandbox iFrame

The iFrame element has a risk element involved if the site embedded is on an hostile site. Fortunately, GEVME Virtual renders an iFrame with sandbox restrictions by default to apply extra restrictions to the content in the frame.

In GEVME Virtual, the default iFrame attributes used are as such:

<iframe 
  src="${src}" 
  sandbox="allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-downloads allow-modals allow-presentation allow-same-origin" 
  allow="camera *; microphone *; accelerometer; magnetometer; autoplay; encrypted-media; gyroscope; geolocation; picture-in-picture; xr-spatial-tracking; webvr; vr; webxr; xr" allowfullscreen="" 
  seamless="" 
  loading="lazy" 
  frameborder="0" 
  style="width: 100%; height: 100%;">
</iframe>

src

The URL of the page to embed. Use a value of about:blank to embed an empty page that conforms to the same-origin policy. Also note that programmatically removing anĀ <iframe>ā€™s src attribute (e.g. via Element.removeAttribute()) causes about:blank to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.

sandbox

Untitled

AttributeDescription
allow-scripts
Lets the resource run scripts (but not create popup windows).
allow-forms
Allows the resource to submit forms. If this keyword is not used, form submission is blocked.
allow-popups
Allows popups (such as window.open(), target=ā€_blankā€, or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
allow-popups-to-escape-sandbox
Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
allow-top-navigation-by-user-activation
Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
allow-downloads
Allows for downloads to occur with a gesture from the user.
allow-modals
Lets the resource openĀ modal windows.
allow-presentation
Lets the resource start aĀ presentation session.
allow-same-origin
If this token is not used, the resource is treated as being from a special origin that always fails theĀ same-origin policyĀ (potentially preventing access toĀ data storage/cookiesĀ and some JavaScript APIs).

You may find the full attributes of sandbox iFrameĀ here.

allow

Specifies aĀ feature policyĀ for theĀ <iframe>. The policy defines what features are available to theĀ <iframe>Ā based on the origin of the request (e.g. access to the microphone, camera, battery, web-share API, etc.).

For more information and examples see:Ā Using Feature PolicyĀ >Ā The iframe allow attribute.

allowFullScreen

Set to true if the <iframe> can activate fullscreen mode by calling theĀ requestFullscreen()Ā method.

loading

Indicates how the browser should load the iframe:

  • eager: Load the iframe immediately, regardless if it is outside the visible viewport (this is the default value).
  • lazy: Defer loading of the iframe until it reaches a calculated distance from the viewport, as defined by the browser.

frameBorder

The value 1 (the default) draws a border around this frame. The value 0 removes the border around this frame, but you should instead use the CSS propertyĀ borderĀ to controlĀ <iframe>Ā borders.

Immutable window.GEVME object

To reduce the possibility of synchronization issues and making the application thread-safe, the window.GEVME object is made immutable once it is initialized by usingĀ Object.freeze(window.GEVME).

CSP Policy

Introduction

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

CSP is designed to be fully backward compatible (except CSP version 2 where there are some explicitly-mentioned inconsistencies in backward compatibility;Ā more details here). Browsers that donā€™t support it still work with servers that implement it, and vice-versa: browsers that donā€™t support CSP ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesnā€™t offer the CSP header, browsers likewise use the standardĀ same-origin policy.

CSP Attributes

You may refer to the full CSP AttributesĀ here.

Untitled

AttributesDescription
none
Refers to the empty set; that is, no URLs match. The single quotes are required.
self
Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute.
<host-source>
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The siteā€™s address may include an optional leading wildcard (the asterisk character, ā€˜ā€™), and you may use a wildcard (again, ā€˜ā€™) as the port number, indicating that all legal ports are valid for the source.

Supported CSP Policies

Untitled

CSP policyDefault AttributePolicy Description
default-src
none
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSPĀ fetch directives.
manifest-src
self
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly intoĀ <script>Ā elements, but also things like inline script event handlers (onclick) andĀ XSLTĀ stylesheets which can trigger script execution.
navigate-to
self
The HTTP Content-Security-Policy (CSP) navigate-to directive restricts the URLs to which a document can initiate navigations by any means includingĀ <form>Ā (if form-action is not specified),Ā <a>, window.location, window.open, etc. This is an enforcement on what navigations this document initiates not on what this document is allowed to navigate to.
upgrade-insecure-requests
Ā 
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a siteā€™s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten. The upgrade-insecure-requests directive is evaluated beforeĀ block-all-mixed-contentĀ and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP. The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace theĀ Strict-Transport-SecurityĀ (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.
connect-src
self
The HTTP Content-Security-Policy (CSP)Ā connect-srcĀ directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are:Ā <a>Ā ping, WindowOrWorkerGlobalScope.fetch, XMLHttpRequest, WebSocket, EventSource, and Navigator.sendBeacon().
script-src
selfblob: ā€˜unsafe-inlineā€™ ā€˜unsafe-evalā€™ unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly intoĀ <script>Ā elements, but also things like inline script event handlers (onclick) andĀ XSLTĀ stylesheets which can trigger script execution.
font-src
selfdata: blob: fonts.google.com fonts.gstatic.com fonts.googleapis.com unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com
The HTTP Content-Security-Policy (CSP) font-src directive specifies valid sources for fonts loaded usingĀ @font-face.
style-src
selfblob: ā€˜unsafe-inlineā€™ ā€˜unsafe-evalā€™ fonts.google.com fonts.gstatic.com fonts.googleapis.com unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com
The HTTP Content-Security-Policy (CSP) style-src directive specifies valid sources for stylesheets.
media-src
Ā 
The HTTP Content-Security-Policy (CSP) media-src directive specifies valid sources for loading media using theĀ <audio>Ā andĀ <video>Ā elements.
img-src
Ā 
The HTTP Content-Security-Policy img-src directive specifies valid sources of images and favicons.
worker-src
self
The HTTP Content-Security-Policy (CSP) worker-src directive specifies valid sources forĀ Worker,Ā SharedWorker, orĀ ServiceWorkerĀ scripts.
child-src
self
The HTTP Content-Security-Policy (CSP) child-src directive defines the valid sources forĀ web workersĀ and nested browsing contexts loaded using elements such asĀ <frame>Ā andĀ <iframe>. For workers, non-compliant requests are treated as fatal network errors by the user agent.
object-src
Ā 
The HTTP Content-Security-Policy object-src directive specifies valid sources for theĀ <object>,Ā <embed>, andĀ <applet>Ā elements.To set allowed types forĀ <object>,Ā <embed>, andĀ <applet>Ā elements, use the plugin-types directive. Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and arenā€™t receiving new standardized features (such as the security attributes sandbox or allow forĀ <iframe>). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src ā€˜noneā€™ if possible).
frame-ancestors
self
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page usingĀ <frame>,Ā <iframe>,Ā <object>,Ā <embed>, orĀ <applet>.Setting this directive to ā€˜noneā€™ is similar toĀ X-Frame-Options: deny (which is also supported in older browsers).
frame-src
Ā 
The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such asĀ <frame>Ā andĀ <iframe>.
form-action
self
The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of a form submissions from a given context.

Block External Network Request

In GEVME, any network (HTTP) request made to external sites are blocked by default. Eg:Ā fetch("https://www.google.com/)Ā will throw an error. Any necessary request to access an external site needs to be made to GEVME admin.