Invicti identified a misconfigured sandbox attribute in an iframe.
IFrame sandboxing enables a set of extra restrictions for the content in the inline frame.Same Origin policy allows one window to access properties/functions of another one only if they come from the same protocol, the same port and the same domain.
URLs from the same origin: http://site.com http://site.com/ http://site.com/my/page.html URLs not from the same origin: http://www.site.com (sub domain) http://site.org (different domain) https://site.com (different protocol) http://site.com:8080 (different port)
sandbox attribute is set, the iframe content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts and plugins are disabled.
sandbox attribute of an iframe on the same origin:
- Compromised website in the iframe might affect the users in parent web application.
- With a sandbox attribute containing both the
allow-scriptsflags, framed page can reach up into the parent and remove the sandbox attribute entirely.
- Avoid the usage of
allow-scriptsat the same time.