1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Widget security and checking domains

Discussion in 'Web Design, HTML And CSS' started by Typr451, May 3, 2011.

  1. Typr451

    Typr451 New Member

    Joined:
    Apr 11, 2009
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    0
    I'm working on a CMS and I wonder how secure it needs to be when users are allowed to either include entire snippets of HTML-code (widgets) or just insert URLs into existing widgets.

    My gut tells me to validate everything inside SRC-attributes and make sure it's of the form "http" with an approved domain. Is it enough or is it unneccessary?

    I went through Wikipedia again about the same-origin policy for JS but I'm not enterily sure just what it means for the URLs posted in iframes etc. I mean aprently I allow iframes to access other domains through the SRC-attribute and it executes whatever page is there. Though that isn't harmful for my site it's just for users visiting my site? I'm imagining what would be harmful for my site would be the other way around if I would allow other sites' iframes to access one of my pages.

    Of-course I shouldn't allow anything that's harmful for users but I'm thinking it's the same for IMG-tags? They've also got SRC-attributes that can access other sites' pages. Is there something built-in that protects or do I need to check all links just as much? I suppose I should do that anyway, I'm just thinking about different levels of users what they should be able to do.
     

Share This Page