0

Case :

i m developing a client side website which shows iframes to users and the urls are not in my control or are different from my domain

for example

my domain is https://example.com and the domain of iframe is https://random.app.example.com. the other domain content is handled by random users

What i have done :

so in order to stop the abuse i have sandboxed the iframe like this

sandbox="allow-scripts allow-same-origin allow-forms"

as of my research and knowledge this much sandboxing gives enough power to the iframe but not enough to exploit the parent site.

i have wrapped up things very quick so i might have missed things

Real Question :

so just to make sure i want to know if there are any threats left in this approach and also please mention the solution to overcome the threat

any kind of suggestion is welcomed please help

Harkal
  • 1,770
  • 12
  • 28
  • this question is not duplicate. read it again whoever flagged this as duplicate – Harkal Sep 27 '20 at 14:26
  • I'm not sure how the duplicate does not answer your question. Specifically, "*you're basically trusting that domain not to serve-up malware.*" and "*A correctly implemented browsers (a.k.a. User Agent) will not allow the iframe contents to leak outside the iframe.*" – Bergi Sep 27 '20 at 14:51
  • @Bergi well, i have already sandboxed the iframe because i dont know what the user would serve in that iframe thats why i have asked a specific question => is there still any threat in my appraoch ? please unflag it if you can – Harkal Sep 27 '20 at 14:53
  • A threat to do what specifically? No, your site's dom is safe and always was, but of course the iframe still might serve bad content (containing malware, tricking users into doing things they shouldn't, etc.). I'm not going to reopen. – Bergi Sep 27 '20 at 14:57
  • @Bergi no prob enjoy thnx – Harkal Sep 27 '20 at 14:58

0 Answers0