CSRF and iframes

Question

When preventing CSRF attacks I should take the following steps:

1. User logs in, set session cookie and generate CSRF token
2. User submits form (with token) and it should match the token in session

But when an attacker uses an iframe it’ll also send the session cookie which results in the same CSRF token, also forms within the iframe will contain the token. So the attacker gets access.

What am I missing here?

Answer 1

You're missing the fact that IFrames do not get full access to Window objects under the Same Origin Policy unless their origins match. Details here:

JavaScript APIs such as iframe.contentWindow, window.parent, window.open and window.opener allow documents to directly reference each other. When the two documents do not have the same origin, these references provide very limited access to Window and Location objects

Therefore the attacker's frame will not be able to read window.document nor the CSRF fields within any contained form.

You do have Clickjacking to worry about, however. This is where your site is loaded in an IFrame but is then made transparent, and the user is enticed into clicking something on the attacker's page (e.g. "Win an iPad click here") which in fact causes the click to actually happen on a sensitive function within your page.

Uses of the X-Frame-Options: DENY and Content Security Policy frame-ancestors directives are recommended to prevent framing of your site.