New Features: Introducing iFrame Sandboxing and Feature Policy

Web integrations and rich user experience present cybercriminals with an ever-expanding surface to attack. Key new features in Tala’s solution will broaden your defenses.

DevOps Connect:DevSecOps @ RSAC 2022

We all know how first and third-party integrations enhance user experience and deliver rich, dynamic websites and web applications. Unfortunately, these same enhancements provide an ever-expanding attack surface to cybercriminals. Even trusted, whitelisted applications can be compromised to steal data

The web is always evolving and so are the attackers. At Tala, we spend a lot of time evaluating existing and emerging security standards, looking for new use cases and ways to expand our already-comprehensive standards-based protection. That’s why we’re really pleased to announce two key new features that we’ll be releasing in the coming weeks: iFrame security controls and Feature-policy. 

Let’s take a look at what they are and how they can work for our customers:

iFrame security controls:

The iframe in HTML stands for Inline Frame. These are used to embed another HTML document into the current one. This kind of embedded content can be seen across the web, most commonly in the form of videos and ads. Enterprises use iframes for multiple reasons, including advertising, media integration and payment pages.

One of the challenges customers have faced with iframes is that forms in iframes can be used to retrieve user input. Misuse of iframes has given rise to attacks including but not limited to ‘malvertising’, clickjacking, and ‘cross-site scripting’. For example, a recent attack compromised an iFrame on Braintree, the widely used e-commerce payment system: a digital skimmer compromised Braintree-hosted fields payment form on an e-commerce website. The problem with attacks like these is they are able to steal the data while allowing the transaction to complete successfully. For both vendor and customer,  everything’s all right – until it isn’t. 

Tala’s iframe sandboxing feature leverages the W3C iframe HTML5 specification rooted in 

‘The principle of least privilege”. It is defined by security experts as the concept of granting the minimum level of privilege  required to perform a particular operation. 

When an iframe is sandboxed via Tala, its functionality can be set anywhere from relaxed to highly  restrictive. 

Feature Policy:

In the current data privacy and compliance climate, the ability to catalog and restrict all behaviors on a website that might breach the privacy of customers is paramount. Regulations are tightening in parallel with a rapidly evolving end-user browser experience: it’s common for browsers to access the microphone, camera or geolocation of customer phones or other hardware. 

This can greatly enhance user experience, but all that  functionality carries a security and privacy risk that enterprises can now restrict with a new HTTP Feature Policy header that most browsers support

Feature policy allows website owners to specify which domains can access sensitive user information and resources, ensuring the privacy of their users. For example, feature policy allows a website to block a third-party script from accessing the user’s microphone or camera. 

Tala now supports the feature policy header and allows you to specify how stringent or lax the access should be for each site. It’s possible to specify a list of trusted origins or even block access altogether. 

A sample policy is illustrated below. This makes sure that geolocation is only accessed by the website and no third parties, camera is not accessible and fullscreen capability can be used by all origins. 


With Feature policy support, Tala is able to catalog, alert and restrict behaviors that violate the privacy of users. 




*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Deepika Gajaria, Senior Director, Product Management. Read the original post at: