Why don't web email clients put emails in an iframe?

TL;DR iframe cannot replace sanitization completely, but is a great feature to use as security in-depth. Unfortunately, it does get in the way of some user-friendliness features.

I would be interesting in hearing a more informed answer, but I'm going to post some points I'm aware of.

Same Origin Policy works both ways. It's great that it keeps the iframe from seeing the outer document content. Unfortunately, if you select text, the outer document cannot tell what text was selected in the iframe. (thanks @paj28) Once could use postMessage feature by adding script to the inner page to work around this, but it is inconvenient. Furthermore, this will not work if you use iframe sandbox as a way to disable scripts. (which I would highly recommend)

You will want to use Content Security Policy (again, thanks @paj28) to disable beacons within the iframed content; and also to disable scripts and other potential issues.

I'd like to point out that iframe as originally designed is not complete. The sandbox attribute would be must if you have any doubt in your sanitization. Unfortunately, the sandbox feature was only recently implemented. This is of diminishing significance as older browsers start to drop off the charts.

Disabling scripts would get in the way of user-friendliness features anyway such as detecting selected text. (It is possible you could get away with 'disable scripts and treat as same origin' rule of sandbox, but that seems risky.)

Any time you add your own scripts or interactive functionality to the iframe'd document, you will be much safer if you still sanitize that document. While iframe sandbox combined with CSP may cover you completely, there might be something missing from that formula.

So in summary

  • For browsers that don't support sandbox, the iframe mitigates significant security risks, but is unable to protect against many issues. Content Security Policy might be able to isolate the content, to a great extent. But you still need to sanitize to prevent things like <a target="_top".

  • For browsers that do support sandbox, combined with a good Content Security Policy, you might be able to replace sanitization, but it is not advisable because it is hard to know for sure whether you are 100% secure. (sanitization routines on the other hand are older and better vetted)

  • If you have sanitization (which you probably should), and the sanitation is well vetted, then iframes only get in the way of user-friendliness. On the other hand, if a flaw is discovered in your sanitization, then you will be glad you iframed the content, using the sandbox attribute and CSP to reduce the scope of the attack.

Side note: desktop applications have more liberty in sandboxing their webviews, even better than the iframe sandbox attribute. So, for example, the Android apps could benefit.

Tags:

Email

Iframe

Related

My email is listed as recovery email for an unknown Google account How is attacking WPA different from attacking WPA2? Couldn't credit/debit cards easily be made more secure? Why do mobile devices force user to type password after reboot? Does Rainbow Table Not Require Decompression? How to test CVE-2004-0789 Multiple Vendor DNS Response Flooding Denial Of Service? What kind of attack is prevented by Apache2's error code AH02032 ("Hostname provided via SNI and hostname provided via HTTP are different")? Chrome: Your connection is private but someone might be able to change the look of the page This Program Can not Be Run in DOS Mode Why does Microsoft use a digital signature catalog instead of a signature in the executable? Can a DDoS attack yield any information? Is encryption of passwords needed for an HTTPS website?

Recent Posts