Insecure iFrame

  • CWE 16
  • WASC 15
  • OWASP 2017-A6

Identified an insecure inline frame.


Apply sandboxing which places a set of security and usability restrictions on the iframe.

Adding the sandbox attribute to an <iframe> element places the element into sandbox mode, which adds the following restrictions to how the browser treats the document inside the iframe:

  • iframe content is treated as being from a different origin than the primary document
  • blocks form submission
  • block JavaScript execution
  • disable Pointer Lock API (mouse movement capture)
  • prevents anchor links from targeting other browsing contexts (opening in a new tab or window)
  • prevents use of plugins (<embed>, <object>, <applet>, or other)
  • prevent the content from navigating its top-level browsing context
  • blocks auto playback of media

These sandbox precautions can help maintain browser security, which is especially useful if the <iframe> is embedding a third-party document over which you have no control.

Each of these restrictions can be lifted individually using attribute values.

  • allow-top-navigation: Allows a sandboxed iframe to navigate its top-level browsing context
  • allow-scripts: Enables JavaScript in a sandboxed iframe.
  • allow-same-origin: Allows the content of a sandboxed iframe to be treated as having the same origin as the primary document.
  • allow-popups: Enables popups in a sandboxed iframe.
  • allow-pointer-lock: Enables the Pointer Lock API (mouse movement capture) in a sandboxed iframe.
  • allow-forms: Enables form submission in a sandboxed iframe.