Embeded player, sandobox, and security

PeerTube
#1

I’m working on integration of Peertube player with a Hugo static site, and have a security concern about the iframe code.

The iframe code generated by Peertube is something like this:

<iframe
    width="560" 
    height="315"
    sandbox="allow-same-origin allow-scripts allow-popups"
    src="https://indymotion.fr/videos/embed/c1cdd69f-6baa-42cd-b322-5498fead449b?title=0&warningTitle=0&controls=0&peertubeLink=0"
    frameborder="0" 
    allowfullscreen>
</iframe>

I read on various sources that it’s a potential security problem with combining allow-same-origin and allow-scripts. Reference: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

Are these variables absolutely mandatory for Peertube?

#2

Made some tests:

If we remove the full sandbox attribute: all fine… but not secure at all…

<iframe 
    width="560" 
    height="315" 
    sandbox="allow-same-origin allow-scripts allow-popups" 
    src="https://indymotion.fr/videos/embed/f18f5749-54c5-43d1-8aa1-221ff503ded1"
    frameborder="0" 
    allowfullscreen>
</iframe>

If we remove only allow-same-origine: embed, play and full screen are working fine; open on original site display a blank page

<iframe 
    width="560" 
    height="315" 
    sandbox="allow-scripts allow-popups" 
    src="https://indymotion.fr/videos/embed/f18f5749-54c5-43d1-8aa1-221ff503ded1"
    frameborder="0" 
    allowfullscreen>
</iframe>

If we remove only allow-scripts: no embed at all!

<iframe 
    width="560" 
    height="315" 
    sandbox="allow-same-origin allow-popups" 
    src="https://indymotion.fr/videos/embed/f18f5749-54c5-43d1-8aa1-221ff503ded1"
    frameborder="0" 
    allowfullscreen>
</iframe>

If we remove only allow-popups: embed, play and full screen are working fine; open on original site not working (clic on « Peertube » produce nothing)

<iframe 
    width="560" 
    height="315" 
    sandbox="allow-same-origin allow-scripts" 
    src="https://indymotion.fr/videos/embed/f18f5749-54c5-43d1-8aa1-221ff503ded1"
    frameborder="0" 
    allowfullscreen>
</iframe>

Conclusion

1) Removing sandbox attribute is not a solution.

2) All options (allow-same-origin, allow-scripts, and allow-popups) are absolutly mandatory for the default Peertube iframe to work.

3) Using Peertube iframe is clearly a potential security concern for the sites and blogs who use it… in case of malicious or compromised Peertube instance.

1 Like
#3

Thanks so much, Aris I was about to embark on the same thing…

Ideally, we are able to disallow pop-ups and link discovery with a right click.