Security challenges with accepting html code for embedding twitter timelines


#1

In our enterprise application, we plan to embeed twitter timeline on our portal. This requires the admin user of our application to navigate to https://publish.twitter.com/# and generate the html code that is outputted by the twitter site. The admin would then need to pass the generated code to our application so that the timeline could be embedded in the application on the portal view.

I foresee security challenges with accepting html code. What are some of the possible approaches for handling the security concerns in accepting code?


#2

Can you be more explicit about the precise security challenges and concerns you have?


#3

The security concerns I am referring to is the ability of the user to embedded any erroneous/malicious javascript within the passed html code. In particular any kind of security attacks that the application might be open for with code injection like cross site scripting for e.g.


#4

Yes, that’s a legitimate concern of course. The publish portal (and our oembed API) simply provides injectable / pastable code that refers to Twitter’s widgets.js Javascript.

From my point of view, enforcement of valid domains with CORS configuration is one way to control this (we use it to enforce what scripts can run inside our dev.twitter.com portal, for example). In the case of Twitter’s web embeds, you would want to whitelist platform.twitter.com which is where our CDN-served widgets.js is located.

If a user/administrator on your portal intermingles malicious code in the pasted tags generated from the publish portal or from the oembed API, then that is outside of Twitter’s control. One approach to this issue might be to have any site or CMS updates peer-reviewed before deployment to production. We’ve used systems like Gerrit and Phabricator to ensure that any site changes receive a +1 “ship it!” confirmation to avoid an individual user making a breaking change.


#5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.