This test page demonstrates a security vulnerability where an iframe is included without a sandbox attribute. An unsandboxed iframe has the same permissions as the parent page, which can lead to significant security risks.
Test Case
<iframe src="../assets/iframe-content.html"></iframe>Explanation
When an iframe does not have a sandbox attribute, it inherits the same permissions as the parent page. This means:
- Scripts in the iframe can access the parent window's DOM through window.parent
- The iframe can navigate the top-level window without user interaction
- Forms within the iframe can submit to any target
- The iframe can execute scripts, create popups, and access cookies
These capabilities significantly increase the attack surface of your website, especially when loading third-party or user-generated content in iframes.
How Pink Sock detects this issue:
Pink Sock scans the DOM for iframe elements and checks if they have a sandbox attribute. When an iframe is found without this attribute, it flags it as a high-severity security issue.
How to fix:
Always add a sandbox attribute to iframes, granting only the minimum permissions needed:
<iframe
src="../assets/iframe-content.html"
sandbox="allow-scripts allow-forms"
></iframe>This provides a reasonable level of protection while still allowing scripts and forms to function. Only add additional permissions if specifically needed for functionality.
Additional Information
Sandbox Attribute Values
The sandbox attribute can take multiple values to allow specific capabilities:
| Value | Description | Security Risk |
|---|---|---|
| allow-forms | Allows form submission | Low |
| allow-scripts | Allows JavaScript execution | Medium |
| allow-same-origin | Allows same-origin access | Medium |
| allow-top-navigation | Allows navigation of the top-level window | High |
| allow-popups | Allows popups from the iframe | Medium |
| allow-storage-access-by-user-activation | Allows access to storage with user activation | Low |
Note: Combining allow-scripts and allow-same-origin can completely bypass the sandbox protection, which is another security vulnerability that Pink Sock detects.