ZeroNet icon indicating copy to clipboard operation
ZeroNet copied to clipboard
verified publisher icon HelloZeroNet

Sandbox Lightbox (Call her SaLi [pronounced "Sally"])

Open styromaniac opened this issue 5 years ago • 6 comments

When files are directly linked, I think there should be a lightbox in an iframe for it, just in case files in question contain malicious executable code.

styromaniac avatar Dec 14 '20 15:12 styromaniac

Note that scripts and things that still want to directly access files can do so by using /raw/... URLs.

anoadragon453 avatar Dec 14 '20 21:12 anoadragon453

Having thought about this a bit more, I'm not actually sure if the iframe would help here given you could've just clicked a link leading to a site with malicious js anyways? ZeroFrame should still theoretically protect you against this.

Also people could just link you to /raw/... so :P

anoadragon453 avatar Dec 14 '20 21:12 anoadragon453

Any html file should be displayed with iframe, the /raw/ files is served with default-src 'none'; sandbox allow-top-navigation allow-forms; img-src *; font-src * data:; media-src *; style-src * 'unsafe-inline'; headers that should prevent any javascript from executing

HelloZeroNet avatar Jan 25 '21 02:01 HelloZeroNet

Good to know, thank you. That sounds like it may negate this issue?

anoadragon453 avatar Jan 26 '21 11:01 anoadragon453

@HelloZeroNet is right. JavaScript will not execute while you loading 127.0.0.1:43110/raw/.... However, you can see the files without any problem.

ghost avatar Feb 03 '21 16:02 ghost

So, should I close this issue?

styromaniac avatar Feb 03 '21 21:02 styromaniac