Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security Risks of Including a 3rd Party iFrame

What are the application security risks of including a hidden 3rd Party iFrame?

If I understand correctly...

  • Click jacking isn't an issue for me because I own the parent page
  • Same-Origin Policy prevents 3p frame from interacting my dom/cookies/js
  • The frame is hidden, so I don't have to worry about anything that may be displayed in the frame

However I did some experiments in the Chrome console and...

  • 3p frame can call things like alert/prompt
  • 3p frame can redirect the parent via location.href
  • Malware inside the 3p frame (java/flash/activeX) could infect my user

I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information.

So...What are the application security risks of including a hidden 3rd Party iFrame?

like image 255
Joe Zack Avatar asked Oct 16 '13 15:10

Joe Zack


1 Answers

If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website.

Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.

<iframe sandbox="" src="www.example.com"/>

Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.

It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.

See also here: Why are iframes considered dangerous and a security risk?

Hope this helps.

like image 190
RobAtStackOverflow Avatar answered Oct 12 '22 19:10

RobAtStackOverflow