14

I'd want to embed an iframe from untrusted site into web application. Iframe:

  • should be able to run Javascript and browser plugins (Flash, etc.)
  • should not be able to access my web application through Javascript
  • _self, _parent, _top links should open pages in the same iframe, not full browser window (I don't want my site to be replaced by other)
  • _blank links should be opened in new browser window/tab

(In a word I want to restrict functionality of embedded site as less as possible)

Is it possible to do?

I'm aware of iframe's sandbox attribute but I can't determine if it can be done using it.

Anders
  • 64,406
  • 24
  • 178
  • 215
Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
  • I guess that you need to make a "controller" that validates the JavaScript of the site or you can hide the functions from the application that he can't use. But it is all a lot of work and if they really want they can avoid your "security". This is very bad practice and I advice you not to implement this. But why do you want this? – Laurence Dec 21 '12 at 14:50
  • @Laurence to display other site inside mine – Andrei Botalov Dec 21 '12 at 18:58
  • 2
    one general problem you would have with this approach is that the site that your framing could break your solution at any point by setting the X-Frame-Options header to 'deny'. – Rory McCune Dec 22 '12 at 16:04
  • @RoryMcCune I can poll framed sites from time to time and check if it has such header or have user's browser send feedback if it sees that it's not possible to show site in iframe. – Andrei Botalov Dec 22 '12 at 17:16
  • There is also problem with sites like stackoverflow.com that have custom clickjacking protection and I think it can be solved in similar way – Andrei Botalov Dec 22 '12 at 17:17
  • 2
    If the IFrame content is untrusted, trusting it for `_blank` isn't such a good idea either. It can easily fool a user by opening a `_blank` for the login page of the same site on a phishing server. User may not notice that a new tab is opened. – Sedat Kapanoglu Jan 02 '13 at 20:48

1 Answers1

2

The sandbox attribute will prevent top navigation by default and can be configured to allow scripting using allow-scripts. The same origin policy in all current browsers should prevent any iframes that have content from a different origin (host) from accessing your application using JavaScript, the sandbox attribute will do it even for same-origin iframes.

So in short, sandbox should fulfill your requirements, although you would need to test if _blank works as expected.

However, you should be aware that not all browsers support the sandbox attribute, and the ones that don't will treat the iframe as a non-sandboxed one.

Jan Schejbal
  • 617
  • 4
  • 4