How to check if html is safe with iframe?

Question

How to check if html is safe with iframe?

I get html code from API lines that can contain embedded videos from the following services:

youtube.com,
vimeo.com,
dailymotion.com,
prezi.com

If I'm sure it is safe enough, I can convert them to a reliable SafeHtml (to bypass Angular sanitizer):

this.safeHtml = this._sanitizer.bypassSecurityTrustHtml(this.htmlFromApi);

And then put it on a page like this:

<div [innerHtml]="safeHtml"></div>

Questions:

What checks should I do to make sure this line is safe enough? (it does not contain built-in scripts and leads only to one of these four sites without any complicated redirects)?
Does it make sense to somehow add these sites to Angular sanitizer exceptions? And how to do it, if so?

Thanks in advance!

p.s. : , HTML? , - Angular

+6

angular html-sanitizing angular-sanitizer

Yuriy K. 08 . '17 16:36

1

Martin · Accepted Answer · 2017-08-08T20:30:44+0000

angular ; , Content Security Policy, Cerain (i) .

:

Content-Security-Policy: 
         default-src 'self' https:; 
         script-src 'self' https:; 
         frame-src: https://*.youtube.com https://*.vimeo.com 
                    https://*.dailymotion.com https://*.prezi.com;

( )

CSP , :

( "self" ) https.
[ ] , -.
(i)frames - . Https , , * URL--, https://y2u.be, .

CSP , , safeHtml.

, , - - - angular, .

frame-src CSP directve.

, -TLS- TLS, URL-:

Content-Security-Policy: 
         default-src 'self'; 
         script-src 'self'; 
         frame-src: https://*.youtube.com https://*.vimeo.com 
                    https://*.dailymotion.com https://*.prezi.com
                    http://*.youtube.com http://*.vimeo.com 
                    http://*.dailymotion.com http://*.prezi.com
                    https://youtu.be;

How to check if html is safe with iframe?

More articles: