shipslides

Security model

User-uploaded HTML is arbitrary code. Treating it that way is the foundation of how Shipslides is designed.

What we lock down

  • connect-src 'none' — uploaded scripts cannot use fetch, XHR, WebSocket, EventSource, ping, or sendBeacon to call APIs.
  • upload abuse scan — blocks forms, credential prompts, JavaScript URLs, meta refresh redirects, suspicious navigation code, install prompts, and network/API snippets before storage.
  • img-src allows self/data/blob images plus Wikimedia and https://i.ytimg.com thumbnails. No other external image hosts are permitted.
  • media-src allows self/data/blob media plus Wikimedia. No other external media hosts are permitted.
  • style-src allows inline/self styles plus https://fonts.googleapis.com/css. No other external stylesheet hosts are permitted.
  • font-src allows self/data fonts plus https://fonts.gstatic.com. No other external font hosts are permitted.
  • form-action 'none' — fake login forms have nowhere to submit.
  • frame-ancestors locked to Shipslides — decks cannot be embedded by arbitrary sites pretending to be us.
  • iframe sandbox everywhere — raw mode is also a full-screen iframe wrapper; uploaded HTML is not served as a top-level document.
  • iframe sandbox flags — no allow-same-origin, no top-frame nav, no popups, no modal dialogs.

What we allow (curated)

Uploaded deck code cannot call APIs. External asset loading is limited to the specific image, media, stylesheet, and font hosts listed above. Decks can embed videos from YouTube only via the standard https://www.youtube.com/embed/<id> (or https://www.youtube-nocookie.com/embed/<id>) HTTPS iframe URL. Other YouTube pages such as watch pages are rejected, and no other third-party iframe hosts are permitted; every addition to this allowlist gets a security review.

What we accept as residual risk

  • CPU usage by the deck (you can close the tab).
  • JS-API fingerprinting — but with no network egress, the deck cannot transmit fingerprints.
  • Visual phishing inside the iframe — mitigated by clear app-level chrome around the deck.

What we ask of authors

  • Paste JS/CSS inline. Images can be data URIs already, or you can let Shipslides download absolute image URLs and store them as data URIs during upload.
  • Don't paste API keys or secrets — your deck is publicly readable. We scan for common token patterns and warn before publishing.
  • Save your claim token after upload. It is the only way to take a deck down.

Reporting abuse

Found a deck that violates our rules? Email abuse@shipslides.com with the deck URL. We aim to respond within 24 hours.