Menu
I'm dynamically creating an iframe in my app, result looks as follows:
<iframe src="blob:http%3A//localhost%3A9292/0194dfed-6255-4029-a767-c60156f3d359"
scrolling="no" sandbox="allow-scripts allow-popups allow-same-origin"
name="sandbox" style="width: 100%; height: 100%; border: 0px;"></iframe>
Is it safe to have such sandbox configuration (especially allowing the iframe content to be treated as being from the same origin)?
799
Now, these are things that have a great security risk, so to make things more secure for the users, W3C added the 'Sandbox' attribute in the HTML specifications. This attribute limits the action from an iframe within a web page and makes it quite secure and protected.
allow-scripts allows JavaScript execution, and also allows features to trigger automatically (as they'd be trivial to implement via JavaScript). allow-top-navigation allows the document to break out of the frame by navigating the top-level window.
The sandbox attribute enables an extra set of restrictions for the content in the iframe. When the sandbox attribute is present, and it will: treat the content as being from a unique origin. block form submission.
As commented by Namey, allow-same-origin will not allow the iframe to be treated as the from same origin as the parent and is safe to use (unless the parent and the iframe share the same origin, cf: warning on MDN).
As described by https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/#granular-control-over-capabilities:
The framed document is loaded into a unique origin, which means that all same-origin checks will fail; unique origins match no other origins ever, not even themselves. Among other impacts, this means that the document has no access to data stored in any origin’s cookies or any other storage mechanisms (DOM storage, Indexed DB, etc.).
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
