Search code examples
htmlsecurityiframebrowsersandbox

What sandbox does an <object> element run in? Can this sandbox be configured?

I run a site that displays user-generated SVGs. They are untrusted, so they need to be sandboxed.

I currently embed these SVGs using <object> elements. (Unlike <img>, this allows loading external fonts. And unlike using an <iframe>, the <object> resizes to the SVG's content size. See this discussion.)

However, I don't know whether these SVGs are appropriately sandboxed when using <object>. The <iframe> permissions model is fairly clear, e.g. <iframe sandbox="allow-scripts"> disallows everything except running scripts. But what is the sandbox/permission model for <object> elements?

  • When I embed a page using <object>, what can that page do by default? E.g. what cookies can it access? Is it the same as an <iframe> without the sandbox attribute?
  • What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on foobarusercontent.com?
  • Does the <object> tag support an equivalent of the sandbox attribute? Is there another way to set permissions for an <object>?
  • What specifications describe the security model for <object>?
Solution

  • When I embed a page using <object>, what can that page do by default? E.g. what cookies can it access? Is it the same as an <iframe> without the sandbox attribute?

    Yes (at least in some browsers). The object can access the cookies that are on the same origin that it is included from (but not the origin that includes it).

    You can test this with a an svg file:

    <svg xmlns="http://www.w3.org/2000/svg" width="400" height="110">
  <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
  <script>alert(document.cookie)</script>
</svg>

    which you can include:

    <script>document.cookie="test=test";</script>
<object data=./x.svg></object>

    This will work in firefox (but not in Chrome, which apparently blocks JavaScript in objects; though I'm not sure if this behavior is documented, and I wouldn't rely on it for security purposes).

    If the data attribute references a different domain, you won't be able to access the cookies of the embedding page (via top or parent; at least in firefox).

    What are the implications of hosting the user content SVGs on the same domain? Should I instead host them on foobarusercontent.com?

    Yes, that would restrict the users actions to the origin foobarusercontent.com (which may or may not be appropriate for your use).

    Does the <object> tag support an equivalent of the sandbox attribute? Is there another way to set permissions for an <object>?

    Not as far as I am aware (see also mozilla, which doesn't list any relevant tags).

    What specifications describe the security model for <object>?

    I am unaware of a standard for this. Because of this, I would be very careful when embedding user-supplied data into an object. Hosting the data on a designated domain is a good idea. Parsing the data and filtering malicious (javascript-related) tags and attributes would also be good (if acceptable). Do ensure that it is acceptable that users can run JavaScript on that domain (ie no auth cookies; I also wouldn't allow uploading of .js files to the domain, as it would allow installation of serviceworkers, which would allow an attacker to log URLs users visit, and thus possibly disclose (private) files hosted on the domain).