I have a basic webmail client I'm writing. The server is built around a basic node.js http server. Pages are served over https using a valid cert from Let's Encrypt. The message body is loaded into a sandboxed iframe via the .srcdoc attribute.
I thought loading the message into a sandboxed iframe would mitigate security warnings regarding mixed content and cross-domain content. Unfortunately, when the content loads into the iframe, the green lock still disappears and is replaced by a security warning.
Details: The backend uses the node.js imap-simple module to retrieve mail content from the imap server, and returns email data as a json object which is then parsed down to an array of envelope objects containing from/to/cc/bcc/date/subject/text/html entries. Text emails are not an issue, but html emails need to be displayed as html (unless of course the user chooses no-html).
How can I safely display the html message content and avoid security warnings due to included message content that is not from my site?
Other than that it appears to be working great with the sandboxed iframes. Cookies from message content on other sites appear to be nicely segregated to their own domains as are cookies from my site. It appears to be nicely separating off-site data from my own sites data, scripts are disabled etc from running in the sandboxes. If enabled for testing, a script run from inside a sandbox indeed has no access to objects outside the sandbox.
I think the warnings are appearing because the page inside the sandbox is generated from the containing page from my site, though the content references outside url's. Obviously the sandboxed page cannot be referenced from the outside site, as it's an email.
How do I work around this to avoid security warnings? How do other webmail clients do it? The real problem is it makes it looks like my site is insecure to people who don't read the actual warning, or don't understand what it means (i.e. most regular users).
I was under the impression that containing the message in a sandbox would prevent the warning appearing on the containing page.
Some psuedocode to exemplify the basic structure of the page:
<html>
<iframe id=mainpage>
#docuement
<iframe sandbox id=envelope0>
#document
<div> ...email body with off-site content here </div>
</iframe>
</iframe>
<script> //foo to get/generate html from the message(s) </script>
</html>
It's a feature not a bug.
Cross domain frames will not show as secure.
How can I safely display the html message content and avoid security warnings due to included message content that is not from my site?
You can deliver it from your site and not some other site. This will fix the SSL warning, but won't make anything "safe". If the content was dangerous, it will still be dangerous.