Summary
Acunetix 360 identified a misconfigured sandbox attribute in an iframe.
Impact
IFrame sandboxing enables a set of extra restrictions for the content in the inline frame.
Same Origin policy allows one window to access properties/functions of another one only if they come from the same protocol, the same port and the same domain.URLs from the same origin: http://site.com http://site.com/ http://site.com/my/page.html URLs not from the same origin: http://www.site.com (sub domain) http://site.org (different domain) https://site.com (different protocol) http://site.com:8080 (different port)
When the sandbox
attribute is set, the iframe content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts and plugins are disabled.
When misconfigured sandbox
attribute of an iframe on the same origin:
- Compromised website in the iframe might affect the users in parent web application.
- With a sandbox attribute containing both the
allow-same-origin
andallow-scripts
flags, framed page can reach up into the parent and remove the sandbox attribute entirely.
Remediation
- Avoid the usage of
allow-same-origin
andallow-scripts
at the same time.