问题
What are the application security risks of including a hidden 3rd Party iFrame?
If I understand correctly...
- Click jacking isn't an issue for me because I own the parent page
- Same-Origin Policy prevents 3p frame from interacting my dom/cookies/js
- The frame is hidden, so I don't have to worry about anything that may be displayed in the frame
However I did some experiments in the Chrome console and...
- 3p frame can call things like alert/prompt
- 3p frame can redirect the parent via location.href
- Malware inside the 3p frame (java/flash/activeX) could infect my user
I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information.
So...What are the application security risks of including a hidden 3rd Party iFrame?
回答1:
If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website.
Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.
<iframe sandbox="" src="www.example.com"/>
Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.
It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.
See also here: Why are iframes considered dangerous and a security risk?
Hope this helps.
来源:https://stackoverflow.com/questions/19407214/security-risks-of-including-a-3rd-party-iframe