I have a GitHub Pages static-site application embedded within a forum post with an iframe using the following code

<div id="app"></div>
<style>
    #app, #app-iframe {
        margin: 0;
        padding: 0;
        border: none;
        width: 100%;
        height: 1200px;
        overflow: hidden;
    }
</style>
<script>
        (function() {
            "use strict";

            let iframe = document.createElement("iframe");
            iframe.setAttribute("id", "app-iframe");
            iframe.src = "https://mygithub.github.io/my-github-pages-app/";
            iframe.sandbox = "allow-scripts allow-popups";

            let pdnpi = document.getElementById("app");
            pdnpi.appendChild(iframe);
        })();
</script>

Since recently learning about the sandbox feature of iframes all it required was the allow-scripts allow-popups to function properly. However, I've also noticed since then that Google Analytics doesn't seem to show the same daily users and isn't tracking like it should be. I would have assumed it would work because I've allowed scripts. There is still some data being returned but significantly less.

I've also figured out by adding allow-same-origin to the sandbox list, Google Analytics seems to show data again, which seems to be that it allows AJAX. Though I've read the risks of both allow-same-origin and allow-scripts also means that the iframe could potentially break out and modify the parent dom, removing its own sandbox restrictions.

The repository managing the GitHub Pages tool is safe, there is no concern about the contributors modifying it maliciously as they already have elevated permissions on the forum iteslf. The static site/tool is just some simple html and JS using jQuery, Bootstrap 4, and Google Analytics.

Is the risks with combining allow-same-origin and allow-scripts all that bad in this situation? Assuming there is no other alternative to get GA working again without it?

0 Answers