Sandbox iFrame
src
sandbox
allow
allowFullScreen
loading
frameBorder
Immutable window.GEVME object
CSP Policy
Introduction
CSP Attributes
Supported CSP Policies
Block External Network Request

Sandbox iFrame

The iFrame element has a risk element involved if the site embedded is on an hostile site. Fortunately, GEVME Virtual renders an iFrame with sandbox restrictions by default to apply extra restrictions to the content in the frame.

In GEVME Virtual, the default iFrame attributes used are as such:

<iframe 
  src="${src}" 
  sandbox="allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation allow-downloads allow-modals allow-presentation allow-same-origin" 
  allow="camera *; microphone *; accelerometer; magnetometer; autoplay; encrypted-media; gyroscope; geolocation; picture-in-picture; xr-spatial-tracking; webvr; vr; webxr; xr" allowfullscreen="" 
  seamless="" 
  loading="lazy" 
  frameborder="0" 
  style="width: 100%; height: 100%;">
</iframe>

src

The URL of the page to embed. Use a value of about:blank to embed an empty page that conforms to the same-origin policy. Also note that programmatically removing an <iframe>’s src attribute (e.g. via Element.removeAttribute()) causes about:blank to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.

sandbox

Attribute	Description
allow-scripts	Lets the resource run scripts (but not create popup windows).
allow-forms	Allows the resource to submit forms. If this keyword is not used, form submission is blocked.
allow-popups	Allows popups (such as window.open(), target=”_blank”, or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
allow-popups-to-escape-sandbox	Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
allow-top-navigation-by-user-activation	Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
allow-downloads	Allows for downloads to occur with a gesture from the user.
allow-modals	Lets the resource open modal windows.
allow-presentation	Lets the resource start a presentation session.
allow-same-origin	If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).

You may find the full attributes of sandbox iFrame here.

allow

Specifies a feature policy for the <iframe>. The policy defines what features are available to the <iframe> based on the origin of the request (e.g. access to the microphone, camera, battery, web-share API, etc.).

For more information and examples see: Using Feature Policy > The iframe allow attribute.

allowFullScreen

Set to true if the <iframe> can activate fullscreen mode by calling the requestFullscreen() method.

loading

Indicates how the browser should load the iframe:

eager: Load the iframe immediately, regardless if it is outside the visible viewport (this is the default value).
lazy: Defer loading of the iframe until it reaches a calculated distance from the viewport, as defined by the browser.

frameBorder

The value 1 (the default) draws a border around this frame. The value 0 removes the border around this frame, but you should instead use the CSS property border to control <iframe> borders.

Immutable window.GEVME object

To reduce the possibility of synchronization issues and making the application thread-safe, the window.GEVME object is made immutable once it is initialized by using Object.freeze(window.GEVME).

CSP Policy

Introduction

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

CSP is designed to be fully backward compatible (except CSP version 2 where there are some explicitly-mentioned inconsistencies in backward compatibility; more details here). Browsers that don’t support it still work with servers that implement it, and vice-versa: browsers that don’t support CSP ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn’t offer the CSP header, browsers likewise use the standard same-origin policy.

CSP Attributes

You may refer to the full CSP Attributes here.

Attributes	Description
none	Refers to the empty set; that is, no URLs match. The single quotes are required.
self	Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute.
<host-source>	Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site’s address may include an optional leading wildcard (the asterisk character, ‘’), and you may use a wildcard (again, ‘’) as the port number, indicating that all legal ports are valid for the source.

Supported CSP Policies

CSP policy	Default Attribute	Policy Description
default-src	none	The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives.
manifest-src	self	The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into `<script>` elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
navigate-to	self	The HTTP Content-Security-Policy (CSP) navigate-to directive restricts the URLs to which a document can initiate navigations by any means including `<form>` (if form-action is not specified), `<a>`, window.location, window.open, etc. This is an enforcement on what navigations this document initiates not on what this document is allowed to navigate to.
upgrade-insecure-requests		The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten. The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP. The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.
connect-src	self	The HTTP Content-Security-Policy (CSP) connect-src directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are: `<a>` ping, WindowOrWorkerGlobalScope.fetch, XMLHttpRequest, WebSocket, EventSource, and Navigator.sendBeacon().
script-src	selfblob: ‘unsafe-inline’ ‘unsafe-eval’ unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com	The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into `<script>` elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
font-src	selfdata: blob: fonts.google.com fonts.gstatic.com fonts.googleapis.com unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com	The HTTP Content-Security-Policy (CSP) font-src directive specifies valid sources for fonts loaded using @font-face.
style-src	selfblob: ‘unsafe-inline’ ‘unsafe-eval’ fonts.google.com fonts.gstatic.com fonts.googleapis.com unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com	The HTTP Content-Security-Policy (CSP) style-src directive specifies valid sources for stylesheets.
media-src		The HTTP Content-Security-Policy (CSP) media-src directive specifies valid sources for loading media using the `<audio>` and `<video>` elements.
img-src		The HTTP Content-Security-Policy img-src directive specifies valid sources of images and favicons.
worker-src	self	The HTTP Content-Security-Policy (CSP) worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
child-src	self	The HTTP Content-Security-Policy (CSP) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as `<frame>` and `<iframe>`. For workers, non-compliant requests are treated as fatal network errors by the user agent.
object-src		The HTTP Content-Security-Policy object-src directive specifies valid sources for the `<object>`, `<embed>`, and `<applet>` elements.To set allowed types for `<object>`, `<embed>`, and `<applet>` elements, use the plugin-types directive. Elements controlled by object-src are perhaps coincidentally considered legacy HTML elements and aren’t receiving new standardized features (such as the security attributes sandbox or allow for `<iframe>`). Therefore it is recommended to restrict this fetch-directive (e.g. explicitly set object-src ‘none’ if possible).
frame-ancestors	self	The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using `<frame>`, `<iframe>`, `<object>`, `<embed>`, or `<applet>`.Setting this directive to ‘none’ is similar to X-Frame-Options: deny (which is also supported in older browsers).
frame-src		The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as `<frame>` and `<iframe>`.
form-action	self	The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of a form submissions from a given context.

Block External Network Request

In GEVME, any network (HTTP) request made to external sites are blocked by default. Eg: fetch("https://www.google.com/) will throw an error. Any necessary request to access an external site needs to be made to GEVME admin.

Security Restrictions

Sandbox iFrame

src

sandbox

Untitled

allow

allowFullScreen

loading

frameBorder

Immutable window.GEVME object

CSP Policy

Introduction

CSP Attributes

Untitled

Supported CSP Policies

Untitled

Block External Network Request