Conference:  Global AppSec San Francisco 2022

Authors: Jean-Philippe Zolesio

2022-11-17

Integrate third-party code or using HTML WYSIWYG editors increase the risk of introducing untrusted code into their web applications. But these are necessary tools and solutions needed to make a seamless and dynamic user experience. In my journey to learn how to execute untrusted code safely, I researched the different ways to solve the problem and the common pitfalls associated with each solution. I also discovered multiple Open Source Software (OSS) projects and decided to complete the set of solutions available with Coriolis. Once I built this new library, new possibilities were unlocked that were previously undreamable.In this presentation, I will present the usage of Iframe as a solution and explain how to use them securely and which drawbacks they have, including PostMessage API. I will also go through the popular option for handling unsecured third-party code with their respective pros and cons. Finally, I would go through how my solution addresses these limitations to provide a better developer experience and how you could do the same.