Risky Feature Permissions - Pink Sock Test

This test page demonstrates a security vulnerability where an iframe is granted access to powerful browser features like camera, microphone, geolocation, and other potentially sensitive capabilities.

Security Issue: IFrame with the allow attribute granting overly permissive access to sensitive browser features like camera, microphone, and geolocation, which increases the attack surface.

Test Case

Vulnerable code:

<iframe 
  src="../assets/iframe-content.html" 
  allow="camera; microphone; geolocation; display-capture; autoplay"
  width="100%" 
  height="300"
></iframe>

Explanation

The allow attribute is used to control which features are available to an iframe through the Permissions Policy. Granting sensitive permissions to untrusted iframes creates security and privacy risks:

camera/microphone: Could be used to spy on users and capture sensitive information
geolocation: Can track a user's physical location without clear indication
display-capture: Could capture user's screen content, including sensitive information
autoplay: Can play potentially disruptive or misleading audio/video without user consent

These permissions should only be granted when absolutely necessary and with proper user consent, especially for third-party content.

How Pink Sock detects this issue:

Pink Sock analyzes the allow attribute on iframe elements and flags potentially risky features, especially when granted to cross-origin iframes or without additional security measures.

How to fix:

There are several approaches to mitigate this risk:

Only grant necessary permissions, following the principle of least privilege
Use empty parameter lists to block features completely
Add user activation requirements
Implement proper sandboxing alongside these permissions

<iframe 
  src="../assets/iframe-content.html" 
  allow="camera=(); microphone=(); geolocation=(); display-capture=()"
  sandbox="allow-scripts allow-forms"
  width="100%" 
  height="300"
></iframe>

The empty parentheses () explicitly block the feature, which is more secure than omitting it entirely.

Additional Information

Feature Policy Syntax

The allow attribute accepts the following syntax variations:

feature-name - Allows the feature for the iframe and same-origin child frames
feature-name 'self' - Allows the feature only for the iframe and same-origin child frames
feature-name 'src' - Allows the feature only for the specific origin of the iframe's src
feature-name 'none' - Disallows the feature for all frames
feature-name=() - Explicitly disallows the feature (preferred way to block)
feature-name=(self) - Same as 'self' but in parameter list syntax

High-Risk Features

The following features are considered particularly sensitive:

Feature	Risk	Recommendation
camera	High	Block or require user gesture
microphone	High	Block or require user gesture
geolocation	High	Block or require user gesture
display-capture	High	Block in most cases
midi	Medium	Block if not needed
payment	High	Block if not needed
idle-detection	Medium	Block if not needed