How to show external page in iframe sans Javascript in Firefox?

[michael887]

I'm trying to load an external site in an iframe for my Firefox visitors. The external page is loaded with javascript, and I would like this to be stripped out. For Chrome, the HTML5 sandbox="" works perfectly, and with IE the security="restricted" does the job just fine. With Firefox, I'm struggling.

I've been using the CSP policy directive as described here, but I can't seem to get the right configuration. The following line will load the page, but the javascript on the external site still loads.

PHP Code:

header("X-Content-Security-Policy: allow 'self'; object-src 'self'; script-src 'self'; frame-src *.externalsite.com; img-src 'self'"); 


I've tried dozens of other configurations and seem to have hit a brick wall. Will this work with the CSP directive? Should I look somewhere else to allow an external site to load in an iframe sans javascript in Firefox? Is this even possible in Firefox?

[felgall]

The options for disabling JavaScript like that are still very new and so not all browsers currently have a way that works.

One thing that all of the browsers do implement is that whatever page that is loaded in the iframe will not be able to have its JavaScript communicate with anything outside of the iframe unless the page is loaded from the same domain as the main page OR both sites have JavaScript that implements postMessage calls specifically to pass data between them (which you certainly are not going to be implementing on your page). So even if you don't manage to disable the scripts in the loaded page they will still be greatly limited in what they can do.

[michael887]

Thanks for your reply felgall. I've been using a php proxy script that loads the page first, strips the javascript, and then displays it in the iframe. I'd really like to not do that, but it seems like with Firefox I'll be stuck until they add in sandbox support.