Protection from Malicious Code
The HTML5 Viewer has a built-in security feature that helps to prevent malicious attacks, in particular cross-site scripting (XSS) attacks. The feature works like this: Before the content loads on the user's device, viewers remove untrustworthy URLs and HTML markup that could execute code when resolved.
In addition, the viewer prompts the user to allow or deny the content at unknown URLs. This protects users from unknowingly loading content that could be malicious. Once a user has allowed or denied content from a particular URL, the viewer remembers the user's choice in the web browser's local storage and does not prompt again for that URL. The user's preferences remain in effect until the user clears their web browser's local storage.
URLs and HTML markup can occur in different contexts. Some common contexts are:
-
feature data
-
projects
-
uploaded data
-
site configuration, notably feature descriptions
Removal of High-Risk Content
HTML5 viewers remove high-risk URLs and HTML markup. The viewer does not notify end users that content is being removed. Viewers remove the following:
-
Scripts defined using the HTML
script
element -
HTML attributes that can run code, for example, JavaScript events like
onload
events -
HTML attributes that do not conform to the HTML4 specification, for example,
data
attributes -
Custom tags
-
URLs that use any protocol besides HTTP, HTTPS, or MAILTO, for example, viewers remove URLs that use the FTP protocol
Most HTML elements are allowed, including a
, img
, iframe
, video
, and audio
elements. Anchor (<a>
) tags can contain HTML5 viewer commands, even though commands run code. The code that is run by viewer commands is considered to be trusted.
URL Filtering
To help prevent loading malicious code via URLs, HTML5 viewers filter URLs before resolving them. HTML5 viewers filter URLs as follows:
-
Remove URLs that use any protocol besides HTTP, HTTPS, or MAILTO.
-
Create a whitelist of allowed URLs.
These URLs are trusted. The viewer loads content from trusted URLs without prompting the user.
For more information, see URLs that are Explicitly Specified in the Site.
-
Before loading content from a URL that is not trusted, prompt the user to allow or deny content from that URL.
You can disable the prompt from the viewer configuration files. See Content Policy Configuration.
-
Remember the user's choice.
If the user allowed the content, the viewer will load content from that URL without re-prompting the user.
If the user denied the content, the viewer will not load content from that URL. The viewer does not re-prompt the user.
The viewer remembers the user's preference relative to the URL's specificity. If the URL for a site's subfolder is trusted, than every file within the subfolder is also trusted. Additionally, if a URL that specifies a specific file name within the subfolder is not trusted, only that file is not trusted.
URLs that are Explicitly Specified in the Site
HTML5 viewers always allow content from URLs that are configured explicitly in the site. This includes the URLs to map services, geocoding and geometry services, feature hyperlinks, layer hyperlinks, and icon URLs. As well, viewers allow any URLs (or parts of URLs) that are explicitly configured in a layer's Feature Label, Feature Description, or Feature Long Description. This is the viewer's way of respecting the administrator's configuration.
The key here is that the configuration must be explicit. Replacement tokens are not considered to be explicit. Viewers allow content up to the last slash before the first replacement token, or if there is no replacement token, up to the last slash. For example:
-
https://server.domain.com/content/
The viewer allows all files in
https://server.domain.com/content/
without prompting the user. -
https://server.domain.com/content/file.extension
The viewer allows all files in
https://server.domain.com/content/
without prompting the user. -
https://server.domain.com/content/{name}.extension
The viewer allows all files in
https://server.domain.com/content/
without prompting the user.{name}
is a field token. -
https://server.domain.com/ArcGIS/rest/services/mymapservice/{LayerID}/{OBJECTID}/attachments/{PHOTOID}
The viewer allows all files in
https://server.domain.com/ArcGIS/rest/services/mymapservice/
without prompting the user.{LayerID}
is a layer token.
Content Policy Configuration
You can enable or disable the prompt users receive when asked to allow or deny content from a URL. To configure the security prompt, locate the application
object near the top of your viewer configuration files and embed a new object called contentPolicy
in it. The contentPolicy
object has these configurable properties:
-
disableSecurityPrompt
: Disable the security prompt site-wide. The default value isfalse
. -
disablePromptOnImages
: Disable the security prompt on images. The default value istrue
. -
trustExactUrl
: For security prompts, only trust the exact URL instead of any URL in the same folder. The default value isfalse
.
The configured contentPolicy
object looks like this:
"application": {
"contentPolicy": {
"disableSecurityPrompt": false,
"disablePromptOnImages": true,
"trustExactUrl": false
}
}
"Allow Unsafe Content" Setting
A viewer's Application page in Geocortex Essentials Manager has a checkbox labelled Allow Unsafe Content. The viewer prevents cross-site scripting attacks and filters URLs and markup whether or not this setting is on.
If this checkbox is selected, content from a KML or GeoRSS layer that contains HTML markup within a <description>
is interpreted by the viewer. If you want the viewer to display the preformatted markup, clear the checkbox. By default, unsafe content is not allowed.