Twitter/Facebook/YouTube API security issues

WolfShade · July 2, 2018, 1:48pm

Hello, all,

I’ve recently been tasked to investigate using Twitter, Facebook, and YouTube APIs on our public-facing page. I have been looking into it, and the Twitter API is very simple - they even have a page that you can use to customise the look and feel of whatever page you wish to grab tweets from and it creates an anchor tag with all the parameters. Very nice.

However, I have come across a stumbling block. The Facebook and YouTube APIs involve using IFRAME. On our network, IFRAME is proscribed. Major security issue (primarily cross-site scripting.)

Is anyone aware of alternative methods for putting a Facebook or YouTube widget on a site that does NOT use IFRAME?

V/r,

^ _ ^

WolfShade · July 3, 2018, 3:03pm

Is there anyone who custom built a YouTube widget/embed for a site using cURL? I’m working in ColdFusion but can use the cURL equivalent (CFHTTP).

V/r,

^ _ ^

Noppy · July 3, 2018, 3:10pm

I’m no security expert but would sandboxing the iframes work for you https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

I quote 'This is nicely draconian, and a document loaded into a fully sandboxed iframe poses very little risk indeed. ’

I am taking this chaps word for it so might be worth checking but hopefully this is useful.

WolfShade · July 3, 2018, 3:11pm

Thanks for the suggestion, but unfortunately I work for DoD, and even sandboxed iframes are not allowed. No discussion.

V/r,

^ _ ^

system · October 2, 2018, 10:11pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.