Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Flash not work in iframe within sandbox attribute

I've used iframe to show some pages.These pages may contain an adobe flash content like a video. my problem is that the abode flash doesn't execute in an iframe within sandbox attribute. my iframe tag :

<iframe sandbox="allow-popups allow-pointer-lock allow-same-origin allow-forms allow-scripts" src="http://example.com"></iframe>
like image 616
AliN11 Avatar asked Oct 16 '14 19:10

AliN11


People also ask

What is the function of the sandbox attribute in iframe?

The sandbox attribute enables an extra set of restrictions for the content in the iframe.

Are iframes sandboxed?

Given an iframe with an empty sandbox attribute, the framed document will be fully sandboxed, subjecting it to the following restrictions: JavaScript will not execute in the framed document. This not only includes JavaScript explicitly loaded via script tags, but also inline event handlers and javascript: URLs.

Which of the following tokens should not be used together while sandboxing an iframe A allow scripts b allow same origin c allow popups D allow presentation?

Note that it's not advisable to add both values allow-scripts and allow-same-origin: these two values will allow the iframe to access and modify your DOM. In this case, a malicious iframe could perform all sorts of operations, and could even remove its own sandbox attribute!

Is iframe sandbox safe?

This technique is quite dangerous because it can be misused to infect the user with some unwanted or corrupted software or malicious program. Such things sometimes prompt users to download or click on things that will bring harm to their system.


1 Answers

Short answer: you can't execute flash plugin in a sandboxed iframe.

The spec : http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox

Plugins that cannot be secured are disabled in sandboxed browsing contexts because they might not honor the restrictions imposed by the sandbox (e.g. they might allow scripting even when scripting in the sandbox is disabled). User agents should convey the danger of overriding the sandbox to the user if an option to do so is provided.

For comprehensive information about sandbox attribute: http://blog.dareboost.com/en/2015/07/securing-iframe-sandbox-attribute/

like image 160
Damien Avatar answered Oct 17 '22 12:10

Damien