iFrames, short for ‘inline frame’ are among the oldest HTML tags. Even though all modern browsers support them, they create one of the most critical client-side vulnerabilities. iFrames are used to embed another HTML document into the current one, enabling the embedded content you see everywhere on the web: videos, payment pages, ads, etc. However, they've developed a bad reputation because attackers can hide malicious content in iFrames that appear to operate as normal for your customer’s experience. Misuse of iframes has given rise to attacks including, displaying unauthorized content, ‘malvertising’, clickjacking, and ‘cross-site scripting’.
To decrease the risk of unauthorized access via iframes, W3C has added the option to ‘sandbox’ iframes in HTML5 specifications.
‘The principle of least privilege’ is defined by security experts as the concept of always granting the minimum level of capability needed to perform a particular operation. HTML5 Sandbox allows a web developer to define which privileges to grant an iframe.
A full sandbox setting is only recommended for static content. For other content, it becomes important to reduce restrictions so as to not break any functionality. With the exception of plugins, each of these restrictions can be lifted by adding a flag to the sandbox attribute’s value. Modern browsers support flags like allow-forms, allow-popups, allow-scripts, allow-top-navigation, etc.
iFrames create one of the most critical client-side vulnerabilities.
Enterprises use iframes for multiple reasons, including advertising, media integration and payment pages. One of the challenges enterprises have faced with iframes is that forms in iframes can be used to retrieve user input. For example, a recent attack compromised an iFrame on Braintree, the widely used e-commerce payment system: a digital skimmer compromised Braintree-hosted fields payment form on an e-commerce website. The problem with attacks like these is they are able to steal the data while allowing the transaction to complete successfully. For both vendor and customer, everything’s all right - until it isn’t. Data breaches caused by compromising iframes can lead to regulatory violations resulting in hefty fines.
Sandboxing makes sure that the online user experience remains free of disruptions and sensitive information collected from customers remains secure.
iFrame sandboxing enables granular control over capabilities.
An <iframe> sandbox allowing scripts and restricting all other capabilities:
<iframe src="test_iframe.htm" sandbox="allow-scripts"></iframe>
An <iframe> sandbox allowing the page to open modal windows:
<iframe src="test_iframe.htm" sandbox="allow-modals"></iframe>
The sandbox attribute enables an extra set of restrictions for the content in the iframe.
However, a full sandbox setting is only recommended for static content. For other content, it becomes important to lift off a few restrictions so as to not break any functionality. With the exception of plugins, each of these restrictions can be lifted by adding a flag to the sandbox attribute’s value. Modern browsers support flags like allow-forms, allow-popups, allow-scripts, allow-top-navigation, etc. (Visit this link for a full list)
Care should be taken that ‘allow-same-origin’ and ‘allow-scripts’ are not used together - this can let the iframe access the website’s DOM and manipulate the code on the origin website and even potentially remove its own sandbox.
Control Risk. Manage Trust.
Applying iframe sandboxing with the right restrictions requires some expertise and continuous administration for effective iframe configuration. In addition, identifying pages eligible for top-level iframe sandboxing can be challenging and time consuming.
Tala’s application analysis engine continuously scans all iframes present on a set of pages to discover the attributes that they might be using (e.g. pop-ups, scripts, etc). This allows for the configuration of appropriate sandbox environments for each of the iframes. Sandboxing can be implemented on a single URL, set of URLs, or all URLs the iframe is present on and can be disabled via the Tala console instantly if required. Learn more about how WARP works.
Request a free website analysis to find out.