Paul’s Security Weekly: Securing iframes using the sandbox attribute

Our Senior Security Researcher, Benjamin Daniel Mussler, has been invited to the Security Weekly podcast to talk about the security of iframes and, in particular, how to secure iframes using the sandbox attribute.

Benjamin first talked about how traditional framesets have become completely obsolete but iframes still remain a popular web mechanism, for example, when serving third-party ads. The problem with iframes is that when embedding external content, you entrust the security of your users to a third party, and you have no control over the security of a third-party site. This was the primary reason behind introducing the sandbox attribute, which has been around for more than 10 years, and which limits certain actions within the iframe (scripts, forms, modals, and more).

By default, if you add the sandbox attribute without arguments, you block all potentially dangerous actions, which is the best choice for static third-party content. However, for dynamic third-party content to work properly, you must lift certain restrictions by using specific arguments. For example, if Facebook or Twitter content is included in the iframe, it would not be possible for the user to fully interact with that content unless you lift some restrictions.

Most of Benjamin’s talk focused on which restrictions should be lifted in which cases and what are the potential security and privacy risks associated with lifting specific restrictions. Benjamin also mentioned how Invicti products analyze iframe configuration, report potential vulnerabilities, and provide guidance on how to use the sandbox attribute more effectively.

Watch the full episode: