This test page demonstrates a security vulnerability where an iframe is given permission to navigate the
top-level window without user activation through the allow-top-navigation sandbox directive,
which could enable clickjacking attacks.
allow-top-navigation sandbox directive without
allow-top-navigation-by-user-activation, allowing the iframe to navigate the top window
programmatically without requiring user interaction.
Test Case
<iframe
src="../assets/iframe-content.html"
sandbox="allow-scripts allow-top-navigation"
width="100%"
height="300"
></iframe>Explanation
The allow-top-navigation sandbox directive allows an iframe to navigate the top-level window to any URL. This creates significant security risks:
- Iframes can redirect the entire page without user interaction
- Malicious iframes could redirect users to phishing sites
- Users may not realize they've been redirected to a different domain
- This capability enables sophisticated clickjacking and redirection attacks
The risk is compounded when combined with allow-scripts, as JavaScript can execute navigation programmatically without any user interaction.
How Pink Sock detects this issue:
Pink Sock analyzes the sandbox attribute on iframe elements and flags the presence of allow-top-navigation
without allow-top-navigation-by-user-activation as a medium-severity security issue, especially when
combined with allow-scripts.
How to fix:
There are several approaches to mitigate this risk:
- Use
allow-top-navigation-by-user-activationinstead, which requires user interaction before navigation - Remove top navigation permissions entirely if not required
- Implement proper Content Security Policy (CSP) with frame-ancestors directive
<iframe
src="../assets/iframe-content.html"
sandbox="allow-scripts allow-top-navigation-by-user-activation"
width="100%"
height="300"
></iframe>This ensures that navigation can only occur after explicit user interaction, such as clicking a link, reducing the risk of silent redirects.
Additional Information
Sandbox Navigation Values
The sandbox attribute provides several navigation-related values:
| Value | Description | Security Risk |
|---|---|---|
| allow-top-navigation | Allows navigation of the top-level window | High |
| allow-top-navigation-by-user-activation | Allows navigation only after user interaction | Medium |
| allow-top-navigation-to-custom-protocols | Allows navigation to custom protocol handlers | High |
Real-World Attack Scenario
A malicious iframe with allow-top-navigation could:
- Be embedded in a legitimate website through an XSS vulnerability or compromised third-party content
- Wait for the user to enter sensitive information on the legitimate site
- Silently redirect the top window to a visually identical phishing site
- Capture credentials entered by the user who believes they're still on the legitimate site
Defense in Depth
In addition to proper sandbox restrictions, consider implementing:
- Content Security Policy with frame-src and frame-ancestors directives
- X-Frame-Options headers to control framing
- Subresource Integrity (SRI) for third-party resources
- Regular security audits of embedded content