Reputation: 406
Stopping webpage compromise by preventing frame-busting
My website offers rich content to users. I often subscribe to third party vendors whose content I embed in my pages. How can I safely embed external domain's content on my webpage in an iframe without worrying that they won't be able to bust out of frame. They won't do it purposely (without risking their clientage/reputation). However, since they almost always are small shops, they become a juicy targets for an attacker who wants to deface/redirect my website.
I am not asking how can I prevent an iframe to access parent frame's DOM, which I know it can't. I am asking how can we prevent an iframe to stop doing something like the following (which doesn't require access to parent's DOM):
top.location=url
Is there a header (something similar/opposite to X-Frame-Options) which I can use on my parent page to ensure that the iframes I embed can't bust out? Remember, I can't ask vendors to add headers/scripts to their pages. They never purposely want to do nefarious things to my page. The scenario I am trying to cover is the one when they get hacked.
Upvotes: 1
Views: 149
Answers (1)
Reputation: 406
As noted in the comments, sandbox attribute can prevent the script inside the iframe to access the windows top.href, location.href and similar methods. This will do what I want to achieve.
From w3schools:
When the sandbox attribute is present, and it will:
- prevent the content to navigate its top-level browsing context
Upvotes: 1
Related Questions
- Alternative Anti Frame Buster
- Busting a tough FRAME killer
- Preventing frame busting with access to page source
- Can you beat a frame breaker?
- How do I counter iframe security problems?
- preventing iframe security issue
- How to forbid framing
- Secure iframe in unsecure document?
- How to prevent Iframe hack
- Iframe Security Issues