When the sandbox attribute is present, and it will:
* treat the content as being from a unique origin
* block form submission
* block script execution
* disable APIs
* prevent links from targeting other browsing contexts
* prevent content from using plugins (through <embed>, <object>, <applet>, or other)
* prevent the content to navigate its top-level browsing context
* block automatically triggered features (such as automatically playing a video or automatically focusing a form control)
I'd say alone blocking scripts, form submits, preventing links to change other contents and checking if there's behavior stuff in the CSS (which facilitates Javascript injection) is enough to have a secure webmail display. Responsive webmails \o/
Oh man, that is a dream. I had no idea that this was a thing. Too bad iframes themselves are kind of tricky to size correctly or I'd be using this willy-nilly. Skip sanitizing HTML and use a full sandboxed HTML iFrame for every comment on a user forum!
> Too bad iframes themselves are kind of tricky to size correctly
You could use an injected JS (postMessage with the iframe window height) and update the iframe height from the outside. And for the content you should just strip any script tags so you can safely allow scripting.
You should strip script tags in any case so that someone cannot use an API call which outputs raw comments as a delivery vector.
Also, you're putting users without sandbox attribute support on risk of being exploited... so you'd have to switch between two paths for display.
When the sandbox attribute is present, and it will:
* treat the content as being from a unique origin
* block form submission
* block script execution
* disable APIs
* prevent links from targeting other browsing contexts
* prevent content from using plugins (through <embed>, <object>, <applet>, or other)
* prevent the content to navigate its top-level browsing context
* block automatically triggered features (such as automatically playing a video or automatically focusing a form control)
I'd say alone blocking scripts, form submits, preventing links to change other contents and checking if there's behavior stuff in the CSS (which facilitates Javascript injection) is enough to have a secure webmail display. Responsive webmails \o/