iframes for query responses can execute scripting

[Malvoz]

CSP Embedded Enforcement (defines the iframe csp attribute) isn't supported by all major browsers, so we fail to prevent scripts from executing in unsupporting browsers. Additionally, scripting is also executed in Chrome due to a bug where about:srcdoc fails to inherit the policy.

There are at least 2 ways to go about blocking scripts with wide support:

1. Prepend srcdoc with <meta http-equiv="content-security-policy" content="script-src 'none';">
2. sandbox the iframes

I think option 1 is more straight forward, and doesn't have any further implications other than blocking scripts, if that's what we want to do.

[Malvoz]

For clarity, I'm referring to:

https://github.com/Maps4HTML/Web-Map-Custom-Element/blob/ad3f1fd1f5498e0ae7b3e03c555899763142d2fb/src/mapml/handlers/QueryHandler.js#L155

https://github.com/Maps4HTML/Web-Map-Custom-Element/blob/ad3f1fd1f5498e0ae7b3e03c555899763142d2fb/src/mapml/handlers/QueryHandler.js#L170

[ahmadayubi]

Alright I'll implement option 1 in an upcoming PR related to issue #282

[Malvoz]

As a side note for option nr. 1, authors of the content inside the iframe can't loosen the policy (to re-enable scripting) by setting their own <meta> CSP, as multiple <meta> CSP policies can only be used to further strengthen an already defined policy (described in https://w3c.github.io/webappsec-csp/#multiple-policies). 👍🏼

[Malvoz]

FWIW option 1 (as opposed to option 2) does not block scripts from executing in nested iframes. It would probably be safer to go with option 2...