Netsparker identified an external insecure or misconfigured iframe.
IFrame sandboxing enables a set of extra restrictions for the content in the inline frame.Same Origin policy allows one window to access properties/functions of another one only if they come from the same protocol, the same port and also the same domain.
URLs from the same origin: http://site.com http://site.com/ http://site.com/my/page.html URLs not from the same origin: http://www.site.com (sub domain) http://site.org (different domain) https://site.com (different protocol) http://site.com:8080 (different port)
sandbox attribute is set, the iframe content is treated as being from a unique origin and sandboxed content is re-hosted in the browser with the following restrictions:
When not set or misconfigured
seamless attribute of an iframe for an untrusted URL:
allow-same-originwill not force the unique origin for iframe contents.
allow-top-navigationwill allow iframe to navigate parent context, e.g. change
allow-formswill allow forms submissions from inside iframe.
allow-popupswill allow popups.
allow-scriptswill allow malicious script execution however still disallow to create popups.
seamlessattribute is set, links within the iframe will navigate the parent frame.
<iframe sandbox src="framed-page-url"></iframe>
allow-scriptsin sandbox attribute.