Security Risks of Including a 3rd Party iFrame

Question

What are the application security risks of including a hidden 3rd Party iFrame?

If I understand correctly...

Click jacking isn't an issue for me because I own the parent page
Same-Origin Policy prevents 3p frame from interacting my dom/cookies/js
The frame is hidden, so I don't have to worry about anything that may be displayed in the frame

However I did some experiments in the Chrome console and...

3p frame can call things like alert/prompt
3p frame can redirect the parent via location.href
Malware inside the 3p frame (java/flash/activeX) could infect my user

I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information.

So...What are the application security risks of including a hidden 3rd Party iFrame?

score 2 · Accepted Answer · edited May 23 '17 at 12:28

2

If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website.

Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.

<iframe sandbox="" src="www.example.com"/>

Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.

It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.

See also here: Why are iframes considered dangerous and a security risk?

Hope this helps.

edited May 23 '17 at 12:28

Community

1
1

answered Oct 16 '13 at 15:39

RobAtStackOverflow

525
3
16

I didn't know about the sandbox attribute, thank you very much! However, I still want to know what the risks are. The stackoverflow link doesn't really answer it either since most of the answers assume that your site will be the one included, rather than the other way around. – Joe Zack Oct 17 '13 at 02:56
1

No problem - Until HTML5 is fully rolled out to all browsers, and all websites use them - I wouldn't rely on it as sole means of protection. As for risks of iframes, it's essentially the same as visiting a website, just embedded on your/the website. If your/the website is vulnerable (XSS etc) then it can impact. Otherwise, as you mentioned - exploits can be run through an iframe. As the link mentioned - Iframes aren't the problem, it's the website hosting the content. Rather than focus on iframes, focus on possible exploits within websites/web browsers. Hope this helps clear some things up. – RobAtStackOverflow Oct 17 '13 at 12:24
1

An `` without an attribute `sandbox` can be used to run JS code saying `document.top.location.href = ...` and force a redirect to another page. That allows anybody controlling the 3rd party iframe to do a forced redirect. If that redirect goes to a well executed phishing site and your users do not pay attention to address bar, the attacker has a good change to get your users to leak their credentials. They cannot fake the address bar but they can force the redirect and control everything else after that. Leaving `allow-top-navigation` out of `sandbox` value avoids this problem. – Mikko Rantalainen Jul 07 '21 at 07:18

Security Risks of Including a 3rd Party iFrame

1 Answers1

Linked