HTML5 Iframe: Block Remote Requests
I am loading HTML content into an iframe using the srcdoc property. An iframe is an isolated iframe with no permissions, so all Javascript in the iframe is blocked. However, remote requests (for example, for CSS, images, etc.) will still run inside the iframe.
Is there any possible way to tell the iframe to only load what I give it in the srcdoc property and not make any additional requests?
Thank you in advance
source to share
The basics
Presumably not, as the iframe sandbox is designed to prevent the exchange of sensitive data between your main document and your iframe document, or to limit potentially destructive behavior.
The iframe is still functionally a browser window and will act this way by loading all external resources declared in it, the only difference is that it is displayed in a different document and not in another window.
If the code inside srcdoc
has calls to remote resources, the browser does exactly what you say it does when loading them.
If you don't want these resources to be loaded, you will have to edit them from code srcdoc
.
In fact, a possible solution
That being said, there might be a way to block the loading of resources using Content Security Policy
from the iframe document using the tag meta
:
<meta http-equiv="Content-Security-Policy" content="default-src 'none';">
or
<meta http-equiv="X-Content-Security-Policy" content="default-src 'none';">
I tried this in Firefox 39.0.3, but it didn't work, probably because of the following:
Bug 663570 - Implement Content Security Policy Using Tag
Regardless, for more information see:
source to share