iFrame – Sandbox Attribute

iFrame – Sandbox Attribute

Mark December 29, 2020

When using iFrame in a web page it is important to configure it as a sandbox and set only the attributes need to run.

The below infromation and sandbox attributes can be found here … https://www.w3schools.com/tags/att_iframe_sandbox.asp

“The sandbox attribute enables an extra set of restrictions for the content in the iframe.

When the sandbox attribute is present, and it will:

  • treat the content as being from a unique origin
  • block form submission
  • block script execution
  • disable APIs
  • prevent links from targeting other browsing contexts
  • prevent content from using plugins (through <embed>, <object>, <applet>, or other)
  • prevent the content to navigate its top-level browsing context
  • block automatically triggered features (such as automatically playing a video or automatically focusing a form control)

The value of the sandbox attribute can either be just sandbox (then all restrictions are applied), or a space-separated list of pre-defined values that will REMOVE the particular restrictions.”

To get a better understanding of using iFrame attributes there is an example here …

https://www.w3schools.com/tags/tryit.asp?filename=tryhtml5_iframe_sandbox

Python Script to find iFrames

This script which will look at a websites url and search for “<iframe”, “</iframe>” and “sandbox=” which would indicate there is an iframe on the website and is it is sandboxed.

Below is an example of the script finding an iFrame on a website with a sandbox value.

Github link – https://github.com/MarkSpencerIT/SecurityTools/blob/main/iframesearch.py

At the moment there is a problem if the website is behind a WAF, this looks to be down to the how the certificate is managed.