Summary
Acunetix 360 identified a misconfigured sandbox attribute in an iframe.
Impact
IFrame sandboxing enables a set of extra restrictions for the content in the inline frame.
Same Origin policy allows one window to access properties/functions of another one only if they come from the same protocol, the same port and the same domain.
URLs from the same origin:
http://site.com
http://site.com/
http://site.com/my/page.html
URLs not from the same origin:
http://www.site.com (sub domain)
http://site.org (different domain)
https://site.com (different protocol)
http://site.com:8080 (different port)
When the sandbox attribute is set, the iframe content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts and plugins are disabled.
When misconfigured sandbox attribute of an iframe on the same origin:
- Compromised website in the iframe might affect the users in parent web application.
- With a sandbox attribute containing both the
allow-same-originandallow-scriptsflags, framed page can reach up into the parent and remove the sandbox attribute entirely.
Remediation
- Avoid the usage of
allow-same-originandallow-scriptsat the same time.