Iframe Sandbox Security

Iframe Sandbox Security

The Supervised AI Bots plugin prioritizes the security of your WordPress environment by utilizing isolated <iframe> elements to render chatbots. This ensures that the chatbot code runs in a protected environment, preventing potential script injections from affecting your host site’s administrative functions or user data.

Security Architecture

Each chatbot is embedded within a dedicated container that leverages the sandbox attribute. This security layer restricts the iframe's capabilities to only the essentials required for the chatbot to function. By default, the plugin enables the following permissions:

• allow-scripts: Permits the chatbot to execute its internal logic and interactive elements.
• allow-forms: Allows users to submit queries and interact with input fields within the bot.
• allow-same-origin: Ensures the chatbot can maintain its session state if required by the Supervised AI platform.

Domain Validation

The plugin only renders URLs that have been explicitly defined in the Supervised AI Bots settings page. This prevents unauthorized third-party scripts from being injected into your site via the shortcode system.

When you add a URL to the settings, the plugin processes it into a secure popup interface:

<!-- Example of the secure iframe structure generated -->
<div class="iframe-container">
    <iframe 
        src="https://your-bot-url.supervised.co" 
        sandbox="allow-scripts allow-same-origin allow-forms"
        style="border: none; width: 100%; height: 100%;">
    </iframe>
</div>

UI and Style Isolation

To prevent the chatbot UI from interfering with your website's layout or "leaking" styles into your primary theme, the plugin uses a fixed-position container with a high z-index. This ensures the chatbot remains interactive without modifying the Document Object Model (DOM) of your existing pages.

The CSS implementation ensures the iframe is constrained within a specific viewport:

.iframe-container {
    position: relative;
    height: 670px;
    overflow: hidden;
}

.iframe-container iframe {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    border: none;
}

Best Practices for Users

To maintain maximum security while using the plugin:

1. Use HTTPS: Always provide full https:// URLs in the plugin settings to ensure data transmitted between the user and the chatbot is encrypted.
2. Verify Bot IDs: When using the [supervised_ai_bot id="X"] shortcode, ensure the id corresponds to the correct intended URL in your settings list to avoid displaying the wrong bot on sensitive pages.
3. Limit Admin Access: Only allow trusted administrators to access the Supervised AI Bots settings page, as they have the authority to define the URLs that will be embedded on the site.