No browser supports using plugins and disallowing top level navigation at the same time. For example, historically Youtube couldn't be sandboxed because Flash player was still required to view all Youtube content. Unfortunately, sandbox also disables all plugins, always. The only way to avoid that is to add sandbox attribute without value allow-top-navigation. That is, content within the is allowed to automatically open a link over current page location (the new location will be visible in the address bar). However, be warned that content from can initiate top level navigation by default. The only real protection methods from this attack is to add HTTP header X-Frame-Options: DENY and/or always correctly encode all user submitted data (that is, never have an XSS vulnerability on your site - easier said than done). This is because vulnerable content from the same origin (same domain) inside is allowed to access the parent content DOM (practically execute JavaScript in the "host" document). In that case the attacker can expand the XSS attack to any page within the same domain that can be persuaded to load within an on the page with XSS vulnerability. In addition, IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited. And if there's a suitable vulnerability, it might be possible to trigger it even without using, or element, so it's not worth considering for this issue. Security of tag is equal to as long there are no vulnerabilities in the browser. If anybody claims that using an element on your site is dangerous and causes a security risk, they do not understand what element does, or they are speaking about possibility of related vulnerabilities in browsers. The only real protection from this attack is to add HTTP header X-Frame-Options: DENY and hope that the browser knows its job. Note that it does not matter if you use or not. The IFRAME element may be a security risk if your site is embedded inside an IFRAME on hostile site.
0 kommentar(er)
