Insecure Frame (External)
Description
The application uses an HTML iframe element to embed external content from a different origin without proper security restrictions. The iframe either lacks the 'sandbox' attribute entirely or has an insecure sandbox configuration that permits potentially dangerous capabilities. This creates an opportunity for the embedded content to interact with the parent page in unintended ways.
Remediation
Apply the 'sandbox' attribute to all iframes embedding external content to enforce security restrictions by default. Start with an empty sandbox attribute for maximum security, then selectively add only the minimum required directives based on legitimate functionality needs.
Secure baseline configuration:
<iframe src="https://external-site.com" sandbox=""></iframe>
If specific capabilities are required, add only necessary directives:
<iframe src="https://external-site.com"
sandbox="allow-scripts allow-same-origin">
</iframe>Avoid using 'allow-top-navigation', 'allow-top-navigation-by-user-activation', and 'allow-popups' unless absolutely necessary. Never combine 'allow-scripts' and 'allow-same-origin' for untrusted content from the same origin, as this negates sandbox protections. Consider using Content Security Policy (CSP) frame-ancestors directive as an additional defense layer.