Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Family Wallet>Discussion>Sandboxed iframes
GeneralOverview
Findings
High (3)
Medium (2)
DiscussionPrivate key material storagePotential key leaks in screenshotsAddress and transactions privacySandboxed iframesUnsafe handling of text input
Audit ResultsSummary

Sandboxed iframes

Preventing malicious JavaScript execution is critical to ensuring the security of the dApp browser context. For NFTs, which are untrusted SVGs rendered in a WKWebView, we recommend placing the untrusted content inside a sandboxed iframe. By leveraging a sandboxed iframe, browser-level controls are leveraged to prevent JavaScript execution. If JavaScript execution is required for a given NFT, the sandbox attribute allows configurable control over what is and is not allowed in the context. Additionally, by using a sandboxed iframe, the JavaScript executes in an isolated origin.

This was addressed with an alternative approach in the following commit:

  • 1b9a002f39853a5f415cdead06f56aa1136dfd39

Zellic © 2024Back to top ↑