Netsparker identified an external insecure or misconfigured iframe.


IFrame sandboxing enables a set of extra restrictions for the content in the inline frame.

Same Origin policy allows one window to access properties/functions of another one only if they come from the same protocol, the same port and also the same domain.
URLs from the same origin:
URLs not from the same origin:
     (sub domain)      (different domain)     (different protocol) (different port)

When the sandbox attribute is set, the iframe content is treated as being from a unique origin and sandboxed content is re-hosted in the browser with the following restrictions:

  • Plugins are disabled. Any kind of ActiveX, Flash, or Silverlight plugin will not be executed.
  • Forms are disabled. The hosted content is not allowed to make forms post back to any target.
  • Scripts are disabled. JavaScript is disabled and will not execute.
  • Links to other browsing contexts are disabled. An anchor tag targeting different browser levels will not execute.
  • Unique origin treatment. All content is treated under a unique origin. The content is not able to traverse the DOM or read cookie information.

When not set or misconfigured sandbox or seamless attribute of an iframe for an untrusted URL:

  • Compromised website in the iframe might affect the users in parent web application.
  • Sandbox containing a value of :
    • allow-same-origin will not force the unique origin for iframe contents.
    • allow-top-navigation will allow iframe to navigate parent context, e.g. change parent.location.
    • allow-forms will allow forms submissions from inside iframe.
    • allow-popups will allow popups.
    • allow-scripts will allow malicious script execution however still disallow to create popups.
  • If seamless attribute is set, links within the iframe will navigate the parent frame.
  • Apply sandboxing in inline frame
    <iframe sandbox src="framed-page-url"></iframe>
  • For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.

Dead accurate, fast & easy-to-use Web Application Security Scanner