Iframe – let the user pick the src - any security issues?

Question

I want to allow the logged in users to view any 3rd party content via an IFrame.

Something like allowing Gmail users to view any Web Calendar they want inside an IFrame.

Is allowing the users to set the IFrame Src Url a security problem?

What security issues will I face?

Any other need to know Tips for using IFrames will be welcome.

Thanks

Rafael

Answer 1

are you afraid of users that want to harm you? then the answer is, you can't do anything about it. they can control the source in their browser anway as they want. you have to do your security server side.

but if you want to protect your clients from mailicous code that is on 3rd party websites that get loaded via the iframe the answer is: iframe is quite safe. xss/same-source-origin policies are pretty good theese days.

well of course such a thing is always a risk. you don't have to be afraid of the content in the iframe. what i would rather recommend is to validate the content or the src tag. make it a valid url and then you should be fine.

the only thing that the page in the iframe could probably do is to redirect your page to a bad site. (as the document.location attribute is manipualteable and readable in an iframe from a different origin). there are ways to prevent that but they are not reliable.

you could load the source of the extermal website to your server and output it setting a base href attribute to the external site, so everything will load properly, then you have the ability to check/manipulate the document. but thats pretty complicated if you want to maintain advanced stuff like javascript etc.

to sum it up: the site cant really harm you. but the user. but if the user specifies a bad site, well its really her/his problem....

Answer 2

Extending on what Joe said:

the site cant really harm you. but the user.

This is the central point: as long as the chosen src is only used and viewed by the user that entered it, never mind. All the user can do has the same effects as if he would open the src in another browser tab. You should not mind about that.

Things become different if other users can also see the src. Thats plain obvious at first, but imagine the following: the src is cached in the hash of the URL for some reason, so your page uses URLs like

http://www.myapp.com/view#http://www.thesrcpage.com

You should avoid that because malicious users might use your page as a proxy to give their victims a link that obviously points to your site but then opens another evil site.

Potential victims might open the link because they trust you. And they'll blame you if the link hurts them.