Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3274

"iframes" should be sandboxed

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      * Sandbox this "iframe".
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      HTML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • OWASP:
      A3, A7

      Description

      HTML5 introduces the ability to restrict the permissions of content loaded into an iframe. Simply adding the sandbox attribute to an iframe tag limits the iframe to simply loading the specified contents; no scripts will run, no popups will pop, and so on. You can re-enable additional functions individually by specifying them in the attribute's value:

      • allow-forms - form submission
      • allow-popups - popups
      • allow-scripts - script execution
      • allow-pointer-lock - access to the "pointer lock" API
      • allow-same-origin - sandboxed content is marked as being from a different domain (even when it's not). This attribute turns that off so that, for instance, the iframe content can access its site's cookies.
      • allow-top-navigation - turns the target attribute of a tags back on

      Following the principle of minimum privileges, this rule raises an issue for each iframe which does not have a sandbox attribute.

      Noncompliant Code Example

      <iframe src="https://platform.twitter.com/widgets/tweet_button.html"
              style="border: 0; width:130px; height:20px;">  <!-- Noncompliant -->
      </iframe>
      

      Compliant Solution

      <iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms"
          src="https://platform.twitter.com/widgets/tweet_button.html"
          style="border: 0; width:130px; height:20px;">
      </iframe>
      

      See

        Attachments

          Activity

            People

            Assignee:
            massimo.paladin Massimo PALADIN
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: