| Yes and no. It depends on the origin of the iframe - if the iframe origin is the tuple (https, news.ycombinator.com, 443) then even if it's in an iframe it still has access to everything. If you put the content into its own origin (say, with <iframe src="data:text/html;base64,..."></iframe>), then it would no longer†have access to your data, but someone who put javascript on their bio could still pop up an alert with arbitrary content in your browser, for instance. †Well, it's also debatable whether or not an iframe with a unique origin would be sufficient protection in the age of Spectre/Meltdown style vulnerabilities, where code execution in a process means you have access to the entire memory contents of that process. Chrome has strong protections against this in the form of Site Isolation [1], but Firefox does not (though they are actively working on it with Project Fission [2]), and Safari/etc do not to my knowledge. We don't _really_ need to be worried about Spectre/Meltdown vulnerabilities being used against a Hackernews profile viewer extension, but at the same time it's easy enough to write safe code that doesn't allow javascript execution in the first place, so why not do that instead? The right way would be to either use a templating language that takes care of it for you (react/angular/vue/etc), or to write some plain javascript instead of injecting DOM with jQuery.html(). Something like: const div = document.createElement('div');
div.textContent = 'This is the bio. <script>alert("This will not execute");</script>';
[1]: https://www.chromium.org/Home/chromium-security/site-isolati...[2]: https://wiki.mozilla.org/Project_Fission |