HeadlinesBriefing favicon HeadlinesBriefing.com

How Share My Page Sandboxes Untrusted HTML with Null-Origin Iframes

Hacker News •
×

Share My Page hosts arbitrary HTML — including AI-generated dashboards, prototypes, and interactive tools — without sanitizing JavaScript. Instead of filtering uploads, the service assumes every page is hostile and neutralizes risk through architecture. Each page loads inside a sandboxed iframe with a precise attribute list: `allow-scripts allow-popups allow-forms allow-downloads allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation`. Critically, allow-same-origin is omitted, giving the framed document a null origin where `document.cookie` returns empty, `localStorage` is unavailable, and the parent page remains unreachable.

The content originates from a separate, cookieless origin served via short-lived signed URLs. The authenticated application origin never shares cookies or tokens with this content origin, so even a hypothetical sandbox escape finds no session to steal. Framing is restricted to the Share My Page app alone, preventing clickjacking reuse. The platform also enforces a strict Content Security Policy on the shell, stores pages as encrypted private files in the EU, and scopes every read to the user's workspace.

This layered approach means no single control is load-bearing: the null-origin sandbox, isolated origin, signed URLs, framing locks, CSP, and encrypted storage each hold independently. Injection (XSS) fails because untrusted HTML never touches the trusted, cookie-bearing origin. Session hijacking fails because scripts have no cookie access and the content origin holds no session. The design acknowledges that isolation protects infrastructure, not content truthfulness — moderation and access control remain separate concerns.