Sandbox Bypass - Pink Sock Test

This test page demonstrates a critical security vulnerability where an iframe's sandbox protection is effectively bypassed by combining the allow-scripts and allow-same-origin values.

Security Issue: Combining allow-scripts and allow-same-origin in a sandbox attribute completely negates the security benefits of sandboxing, as scripts can access the parent context.

Test Case

Vulnerable code:

<iframe 
  src="../assets/iframe-content.html" 
  sandbox="allow-scripts allow-same-origin"
></iframe>

Explanation

The combination of allow-scripts and allow-same-origin in a sandbox attribute creates a dangerous security vulnerability:

allow-scripts enables JavaScript execution within the iframe
allow-same-origin lets the iframe maintain its origin, preserving access to cookies, localStorage, and other origin-specific resources
When combined, scripts in the iframe can access everything that belongs to its origin, including parent window content if they share the same origin

This effectively negates the security benefits of the sandbox attribute, as malicious code in the iframe can potentially:

Read or modify parent page content
Access cookies and local storage
Hijack user sessions
Conduct cross-site scripting (XSS) attacks

How Pink Sock detects this issue:

Pink Sock analyzes the sandbox attribute on iframe elements and specifically looks for the combination of allow-scripts and allow-same-origin, flagging it as a high-severity security vulnerability.

How to fix:

Never combine allow-scripts and allow-same-origin in a sandbox attribute. Instead:

<iframe 
  src="../assets/iframe-content.html" 
  sandbox="allow-scripts allow-forms"
></iframe>

If you need script execution but not same-origin privileges, use allow-scripts without allow-same-origin. If you absolutely need same-origin access, consider alternative security measures such as Content Security Policy (CSP) and proper input validation.

Additional Information

Security Impact

According to the HTML specification, combining these two values creates a significant security risk. The Mozilla Developer Network (MDN) documentation explicitly warns:

"Allowing both scripts and same-origin access disables the sandbox protection entirely for that iframe."

Alternative Approaches

If you need to load content from the same origin with script execution, consider:

Using a more restrictive Content Security Policy
Using iframe-src or worker-src CSP directives to control what can be loaded
Implementing proper input validation and output encoding
Using cross-document messaging (postMessage) for communication between frames