Invicti identified an external insecure or misconfigured iframe.
IFrame sandboxing enables a set of additional restrictions for the content within a frame in order to restrict its potentially malicious code from causing harm to the web page that embeds it.
Here is an example, the URLs below all belong to the same origin as http://site.com :
Whereas the URLs mentioned below aren't from the same origin as http://site.com :
http://www.site.com (a sub domain)
http://site.org (different top level domain)
https://site.com (different protocol)
http://site.com:8080 (different port)
sandbox attribute is set, the iframe content is treated as being from a unique origin, even if its hostname, port and protocol match exactly. Additionally, sandboxed content is re-hosted in the browser with the following restrictions:
sandbox attribute is not set or not configured correctly, your application might be at risk.
A compromised website that is loaded in such an insecure iframe might affect the parent web application. These are just a few examples of how such an insecure frame might affect its parent:
Sandbox containing a value of :
allow-same-originwill not treat it as a unique origin.
allow-top-navigationwill allow code in the iframe to navigate the parent somewhere else, e.g. by changing parent.location.
allow-formswill allow form submissions from inside the iframe.
allow-popupswill allow popups.
allow-scriptswill allow malicious script execution however it won't allow to create popups.
<iframe sandbox src="framed-page-url"></iframe>
allow-scriptsin sandbox attribute.