What is iFrame Sandboxing

iFrames, short for ‘inline frame’ are among the oldest HTML tags. Even though all modern browsers support them, they create one of the most critical client-side vulnerabilities. iFrames are used to embed another HTML document into the current one, enabling the embedded content you see everywhere on the web: videos, payment pages, ads, etc. However, they've developed a bad reputation because attackers can hide malicious content in iFrames that appear to operate as normal for your customer’s experience. Misuse of iframes has given rise to attacks including, displaying unauthorized content, ‘malvertising’, clickjacking, and ‘cross-site scripting’.

To decrease the risk of unauthorized access via iframes, W3C has added the option to ‘sandbox’ iframes in HTML5 specifications.

How iFrame Sandboxing Works

‘The principle of least privilege’ is defined by security experts as the concept of always granting the minimum level of capability needed to perform a particular operation. HTML5 Sandbox allows a web developer to define which privileges to grant an iframe.

When an iframe is sandboxed in its most restrictive setting, the browser treats the content as being from a unique origin and the iframe can no longer perform actions like executing JavaScript, submitting forms, loading pop-ups and plugins, etc.

A full sandbox setting is only recommended for static content. For other content, it becomes important to reduce restrictions so as to not break any functionality. With the exception of plugins, each of these restrictions can be lifted by adding a flag to the sandbox attribute’s value. Modern browsers support flags like allow-forms, allow-popups, allow-scripts, allow-top-navigation, etc.

Tala iframe sandboxing

Protecting Data with iFrame Sandboxing

iFrames create one of the most critical client-side vulnerabilities.

Enterprises use iframes for multiple reasons, including advertising, media integration and payment pages. One of the challenges enterprises have faced with iframes is that forms in iframes can be used to retrieve user input. For example, a recent attack compromised an iFrame on Braintree, the widely used e-commerce payment system: a digital skimmer compromised Braintree-hosted fields payment form on an e-commerce website. The problem with attacks like these is they are able to steal the data while allowing the transaction to complete successfully. For both vendor and customer, everything’s all right - until it isn’t. Data breaches caused by compromising iframes can lead to regulatory violations resulting in hefty fines.

Sandboxing makes sure that the online user experience remains free of disruptions and sensitive information collected from customers remains secure.

iFrame Sandboxing Examples

iFrame sandboxing enables granular control over capabilities. 

An <iframe> sandbox allowing scripts and restricting all other capabilities:

<iframe src="test_iframe.htm" sandbox="allow-scripts"></iframe>

An <iframe> sandbox allowing the page to open modal windows:

<iframe src="test_iframe.htm" sandbox="allow-modals"></iframe>

Tala iframe-sandbox code graphic Rev B_2020-10-30

iFrame Sandbox Attributes

The sandbox attribute enables an extra set of restrictions for the content in the iframe.

Sandboxing works on the basis of a whitelist. We begin by removing all permissions possible and then turn individual capabilities back on by adding specific flags to the iframe’s configuration. When an iframe is sandboxed in its most restrictive setting, the browser treats the content as being from a unique origin and the iframe can no longer execute javascript, submit forms, load plugins or popups, create new windows or dialogs, etc. When the iframe is treated as being from a unique origin, this means that it no longer has access to data stored in the origin’s cookies or DOM storage and AJAX requests cannot be initiated.

However, a full sandbox setting is only recommended for static content. For other content, it becomes important to lift off a few restrictions so as to not break any functionality. With the exception of plugins, each of these restrictions can be lifted by adding a flag to the sandbox attribute’s value. Modern browsers support flags like allow-forms, allow-popups, allow-scripts, allow-top-navigation, etc. (Visit this link for a full list)

Care should be taken that ‘allow-same-origin’ and ‘allow-scripts’ are not used together - this can let the iframe access the website’s DOM and manipulate the code on the origin website and even potentially remove its own sandbox.

 

Automating iFrame Sandboxing

Control Risk. Manage Trust.

Applying iframe sandboxing with the right restrictions requires some expertise and continuous administration for effective iframe configuration. In addition, identifying pages eligible for top-level iframe sandboxing can be challenging and time consuming.

Tala’s application analysis engine continuously scans all iframes present on a set of pages to discover the attributes that they might be using (e.g. pop-ups, scripts, etc). This allows for the configuration of appropriate sandbox environments for each of the iframes. Sandboxing can be implemented on a single URL, set of URLs, or all URLs the iframe is present on and can be disabled via the Tala console instantly if required. Learn more about how WARP works.

illustration-inventory-control-analytics

Is your website secure?

Request a free website analysis to find out.