CryptPad's new Secure Cross-Domain Iframe

CryptPad version 1.14 (Codename Ouroboros) has been released and the most exciting new feature is one you cannot even see. As you may remember from the Security Growing Pains post, Content Security Policy is a significant part of CryptPad’s security model, and it is unfortunately incompatible with CKEditor, the Open Source text editor used in CryptPad.

With this release, we have done a significant re-architecture of the CryptPad codebase. Starting with the /pad/ application, the CryptPad UI has begun a process of moving into an iframe which is hosted on a different domain: sandbox.cryptpad.info. Moving the visual content to a different domain means that even in the event of a Cross-site scripting security vulnerability, most of your private information such as the pads in your CryptDrive, will not be at risk.

In this version we updated only the /pad/ application to use the cross-domain iframe because it is the only app which requires inline script. This prevented us from using Content Security Policy to block the most significant vector for Cross Site Scripting attacks but now with the cross-domain iframe, such attacks are mitigated.

Going forward, we plan to implement a standardized CryptPad application API so that new applications can be developed, installed and used in CryptPad. Today, the CryptPad API which is exposed to apps such as /pad/ and /code/ is not standardized and there is no clear line between the apps themselves and the CryptPad internals. As we move toward the a standard app API, we will define a standard representation of a CryptPad application with such additional aspects as the app’s color-scheme and icons.

Fundementally, this unexciting change to CryptPad begins a new phase in development, we plan to move from a set of integrated prepackaged applications to an ecosystem of applications for collaborating on different types of content with the same encryption under the hood.

But Wait, There’s more

The pictures in this blog post are not hosted on the blog, they are in fact Zero Knowledge files uploaded on CryptPad. They can be seen on this blog because it is using the Media Tag which was developed as part of the UCF Project with the support of Systematic, BPIFrance and the City of Paris.

Media Tag allows files on CryptPad to be included in any website (such as this blog). All you have to do to include a file from CryptPad is simply include the Media Tag loader and then add a Media Tag to your document, just like the following:

1
2
3
4
5
<!-- At the top of your HTML file -->
<script src="https://cryptpad.fr/common/media-tag-nacl.min.js"></script>

<!-- Where you'd like the image to be located -->
<media-tag src="https://files.cryptpad.fr/blob/3c/3c9b5b3fb00b7dc35e15851606132585e8b69b06a51556eb" data-crypto-key="cryptpad:VE4raHL5VFReAXxioTaFZwt6q2jpxX+bdFHAFeoivZQ="></media-tag>

With this you can embed files from your CryptDrive into any website you want.