What are the issues with using an iframe security?
We are looking to move to iframes due to technical challenges. By moving to iframes it will be easier to manage the technical issues. But we are not totally sure of the security implications of iframes.
Our website is rendered through SSL and the user may need to click on the links also on SSL from our site.
Is it possible to open it in a completely new browser and still have no security issues? What are the things we should keep in mind to make sure our site remains secure while using iframes?
iFrames can introduce many security issues depending on how they are implemented and where the content is being served. Here are some details on iFrame security options mentioned by Rook
allow-formsĀ If this is enabled, iFrames could phish for information, pose as a login form for your website etc. allow-scripts If allow scripts is enabled, then there is no point in setting allow-forms, since a form can be created in the DOM by Javascript If you allow scripts in an iFrame it could potentially perform DoS attacks, open browser dialogs, or perform automation on the page that could expose information to others (referrer attribute) or load external objects. allow-top-navigation This right allows the iFrame to act as the embedded site or or phish the users credentials. allow-same-origin
This attribute is intended to display raw HTML documents (HTML email for example) unaltered from the source. The issue is that if the URL is predictable and the attacker can get the user to view the iFrame directly then the properties of the sandbox are lost. Worse still the opened web page might traverse the opener object and discover properties about the source page. Finally, there is a proposed MIME type called text/html-sandboxed for content that should always be viewed in a sandboxed environment, but many browsers misinterpret this and will display the data in unusual ways (usually a bad thing). Source(s) The Tangled Web