Paul’s Security Weekly: Securing iframes using the sandbox attribute - Security Boulevard

SBN Paul’s Security Weekly: Securing iframes using the sandbox attribute

Our Senior Security Researcher, Benjamin Daniel Mussler, has been invited to the Security Weekly podcast to talk about the security of iframes and, in particular, how to secure iframes using the sandbox attribute.

Benjamin first talked about how traditional framesets have become completely obsolete but iframes still remain a popular web mechanism, for example, when serving third-party ads. The problem with iframes is that when embedding external content, you entrust the security of your users to a third party, and you have no control over the security of a third-party site. This was the primary reason behind introducing the sandbox attribute, which has been around for more than 10 years, and which limits certain actions within the iframe (scripts, forms, modals, and more).

DevOps Experience

By default, if you add the sandbox attribute without arguments, you block all potentially dangerous actions, which is the best choice for static third-party content. However, for dynamic third-party content to work properly, you must lift certain restrictions by using specific arguments. For example, if Facebook or Twitter content is included in the iframe, it would not be possible for the user to fully interact with that content unless you lift some restrictions.

Most of Benjamin’s talk focused on which restrictions should be lifted in which cases and what are the potential security and privacy risks associated with lifting specific restrictions. Benjamin also mentioned how Invicti products analyze iframe configuration, report potential vulnerabilities, and provide guidance on how to use the sandbox attribute more effectively.

Watch the full episode:

Tomasz Andrzej Nidecki
Technical Content Writer

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.

*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: