Is there any way to detected if a iframed page is sandboxed or not?
I have tried the sandbuster js library but it no longer seems to work over cross-domain.
I also tried to catch exceptions on window.frameElement, but it's always null.
The reason i am asking is the sandboxing feature is used by someone to bypass our protections and load our content without tracking and advertising.
Related
I have a use case where I need to accept javascript from users of my app and evaluate it using eval. I figured the 'safe' way would be to use web workers inside of a sandboxed iframe.
I found this article in my research, following which I was able to successfully send code to my web worker and get the eval response back to my main app.
targetOrigin while sending code to the iframe was * (because I don't have allow-same-origin and the iframe's window.origin would be null)."
I was wondering if there's any other alternative rather than enabling the allow-same-origin on my iframe OR setting * as both of them pose some sort of security issues which more or less mitigate the advantages of using the sandboxed iframe in first place (from what I read online).
Thank you
PS. I did find other SO threads that discuss this issue but none were addressed/came to a conclusion so was looking for a fresh perspective. I am pasting the URL below for the interested members.
javascript - postMessage to sandboxed iframe, why is recipient window origin null?
In our web app/site, I need to use an iframe or a popup window to validate if the current token is valid and refresh it if no.
So, I create an iframe, and set the property 'src' to the validation link such as "https://<domain_name>/auth?client_id=xxx" which is different to our app domain https://<app_domain>. and the return value will like "https://<domain_name>/code=yyyy"
document.createElement('iframe');
and I added the message handle for the web app/site, like
window.addEventListener("message", this.messageHandler);
in the messageHandler, I will check if the message is from a specified website, and then validate the "code" value, blabla, etc.
But when running in Chrome, I always got the error
"Blocked autofocusing on a element in a cross-origin subframe."
what confused me is:
it always failed when running in the Chrome browser, but it can work fine in Firefox and Edge chromium.
I tried to set iframe.sandbox = "allow-forms allow-scripts allow-same-origin", the problem still existed.
If the validating token failed in iframe or timeout, I will create a popup window to continue validating and refresh the token. But every time, using popup window can always succeed. If it is really a cross-origin issue, why using iframe failed but using popup window succeeded.
I didn't use window.postmessage. because I don't know how to pass the return value of iframe/popup-window to the main page.
I used CORS extension of Chrome or using parameter --disable-web-security when launching Chrome. the problem still existed.
when I created the iframe or popup window. it is very simple, I just set the iframe.src property, there is no element being created.
any help will be much appreciated.
p.s.
I refer to the following doc:
Blocked autofocusing on a form control in a cross-origin subframe
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Support for iframes in web development will only get worse over time as they are a security black hole, browsers are gradually over time locking out features and use of them.
I am assuming you are doing this because you are validating a user on a third party service, validating by watching the response of a third party service website?
Without knowing the service you are using I cannot comment specifically but for anyone looking to do something similar I would highly suggest not doing this:
As mentioned, iframes are constantly having features locked down due to security concerns
An attacker could change the source of the iframe and submit their own iframe to look like it has been correctly validated
It's unlikely that the page you are using as your iframe src is intended for this use, which will come back and bite you when the 3rd party developer changes how their page behaves, which they likely will do without knowing it's going to break your application
I recommend:
Finding a stable API the 3rd party service offers and using that
Finding another service if none exist
Apologies to rain on your parade!
I disagree that iframes are a security risk, rather they can be if not implemented properly.
How to implement them properly should be asked in another question and probably starting with a carefully implemented Content Security Policy as a priority.
I also use iframes within a Chrome extension that has to pass rigorous Google security.
As for the question, I've noticed that error too and I am focusing on an input box when the iframe is loaded and the focus works! I put it down to being a Chrome bug as the warning suggests it has stopped auto focusing when it hasn't.
As for the un-related point about passing the value back to the parent holding the iframe, I can help you with that, but you should ask it in a new question.
Disable some feature of browser setting
Browser Changes
chrome://flags/#cookies-without-same-site-must-be-secure
chrome://flags/#same-site-by-default-cookies
chrome://flags/#enable-removing-all-third-party-cookies
Above URL just paste it and disabled it. Then ok and relaunch the browser.
Then done it.
What are the application security risks of including a hidden 3rd Party iFrame?
If I understand correctly...
Click jacking isn't an issue for me because I own the parent page
Same-Origin Policy prevents 3p frame from interacting my dom/cookies/js
The frame is hidden, so I don't have to worry about anything that may be displayed in the frame
However I did some experiments in the Chrome console and...
3p frame can call things like alert/prompt
3p frame can redirect the parent via location.href
Malware inside the 3p frame (java/flash/activeX) could infect my user
I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information.
So...What are the application security risks of including a hidden 3rd Party iFrame?
If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website.
Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.
<iframe sandbox="" src="www.example.com"/>
Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.
It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.
See also here: Why are iframes considered dangerous and a security risk?
Hope this helps.
Is there any way any error happens on page we can suppress the error. When we he have Iframe where we are loading third party websites which we don't have any control
Only way to suppress the error is if the code runs on your domain and you can catch it with window.onerror. If it is on theirs [in iframe/frame], there is nothing you can do.
Tell them to fix it or do not include their page.
You cannot modify the code or behavior of a site from a different domain that's in an iframe or a frame. The browser prevents any cross domain modifications. See the "same origin policy" at MDN for details.
It would take a browser plug-in to do what you are describing. If you want to display third party sites in an iframe/frame, you get whatever behavior they produce.
Certain websites like Twitter, Flickr, etc avoid being stuck within an iframe. Is there any way to stop this from happening? I just need to see the public data so I am open to disabling Javascript, etc. How do I disable Javascript running on the iframe? Is this possible?
You can't disable JavaScript on iFrames or any other resources AFAIK.
The only way to reliably do this is to load the sites through a proxy PHP or other server-side script, filter out any JavaScript (which will break many sites), and fix all relative references to images and other media - a task that would take an insane amount of time to complete if you want the sites to actually work.
If you just need some data from the sites, proxying might work. Seeing as the Same Origin Policy would prevent you getting anything from an IFRAME from a different domain anyway, it is also the only way to access content on those sites using JavaScript.
In IE only, there is the <iframe security="restricted"> attribute. This disables JavaScript in the targeted document, which would break a JS frame-escape script — along with all other interaction that's script-dependent.
However, apart from the browser compatibility issue, it's very rude to frame a site that doesn't want to be framed, and it will work less and less anyway as more sites deploy X-Frame-Options.
I'm not sure what you mean by “need to see the public data”... as Pekka said, you won't be able to ‘see’ into an iframe's DOM from outside it, as that would be a security problem.