Security Risks of Including a 3rd Party iFrame

Question

What are the application security risks of including a hidden 3rd Party iFrame?

If I understand correctly...

• Click jacking isn't an issue for me because I own the parent page
• Same-Origin Policy prevents 3p frame from interacting my dom/cookies/js
• The frame is hidden, so I don't have to worry about anything that may be displayed in the frame

However I did some experiments in the Chrome console and...

• 3p frame can call things like alert/prompt
• 3p frame can redirect the parent via location.href
• Malware inside the 3p frame (java/flash/activeX) could infect my user

I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information.

So...What are the application security risks of including a hidden 3rd Party iFrame?

Answer 1

If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website.

Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.

<iframe sandbox="" src="www.example.com"/>

Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.

It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.

See also here: Why are iframes considered dangerous and a security risk?

Hope this helps.