CODEWITHSUNDEEP
javascriptsecurityiframe
CodingLittle
CodingLittle

Reputation: 1857

From a security perspective is it OK to have a third-party inject entire HTML into iframe?

Im hoping this wont get classed as an opinonated answer but here goes:

I have come across a few third party libs that simply ask you do render a div:

<div id="targetThirdparty"></div>

Inject their script to the site and then their script does the magic.

I came across a scenario today where I was asked to inject a script similar to the way described above but in this case the script itself injects an Iframe that contained an entire html document with their scripts and css etc.

I thought initially that this can not be an ideal security scenario since the scripts in the html document can be harmful or present some kind of security risk that a malicious user can exploit and also we can not control it at all.

Searching the web I have found that when using iframes that this can be a common case to inject a HTML like this. However what I am looking for is this a goods practice? Should I inform my customer not to have this on the site? Motivation for and against?

Upvotes: 0

Views: 246

Answers (1)

James Wilson
James Wilson

Reputation: 1636

The short answer to your question is "it depends". To clarify this you are embedding code and content from a third party and therefore are increasing the risk of something bad happening. However, this is an increase to risk and you need to understand if it is acceptable in your environment.

Whenever I am thinking about adding content via a third party script I consider the following:

  1. What is the risk of the script being used in a bad way?

This largely comes down to who is the vendor providing the script and what is the functionality. If the vendor is a well known name with a good reputation then I am less worried. However if the functionality is to provide content from their users (think social media) then the risk might be a little higher.

  1. What is the behaviour of my site if the script goes wrong?

I would always make the page loads first and display an error or hide the component if the script from a third party failed. Yes I have dealt with an incident where a third party feed on a page caused an entire site I was responsible for to go down.

In summary, only you (or your customer) can decide if this is appropriate. It is a case of reward vs risk and in many cases the reward outweighs the risk. Therefore not a blanket "no, don't do this" but please go into it with a good understanding the of the risks involved.

Upvotes: 1

Related Questions