- Issue created by @Lukas von Blarer
- last update
over 1 year ago 5 pass - @lukas-von-blarer opened merge request.
- 🇨ðŸ‡Switzerland miro_dietiker Switzerland
Note that an iframe from the same domain is not a full isolation.
The problem is mitigate a big by the fact that we show mostly outgoing mails and not random incoming mails.Other systems identified the need for full isolation to deliver the iframe from a different domain to clarify the CORS (cross domain) situation.
As soon as a user payload could end up in the mail, this could cause a security issue.
I guess then this would need to be an opt-in with some warning? - 🇨ðŸ‡Switzerland Lukas von Blarer
Ok, agreed, this might be a risk. Is this also true with the
sandboxattribute present on theiframe? That disables things like scripts, forms and downloads: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe But yeah, that aren't all the possible attack vectors. - First commit to issue fork.
- Merge request !10Issue #3357920 handle Multipart messages from mimemail → (Open) created by malcomio
- last update
over 1 year ago 5 pass - last update
over 1 year ago 5 pass - last update
over 1 year ago 5 pass - last update
about 1 year ago 5 pass - last update
about 1 year ago 5 pass - last update
about 1 year ago 5 pass - last update
about 1 year ago 5 pass - last update
about 1 year ago 5 pass - last update
about 1 year ago 5 pass - Status changed to Needs work
about 1 year ago 5:55am 20 September 2023 - 🇨ðŸ‡Switzerland Lukas von Blarer
Ok, this is also broken with symfony_mailer.