[html] Why are iframes considered dangerous and a security risk?

Why are iframes considered dangerous and a security risk? Can someone describe an example of a case where it can be used maliciously?

This question is related to html security iframe

The answer is

The IFRAME element may be a security risk if your site is embedded inside an IFRAME on hostile site. Google "clickjacking" for more details. Note that it does not matter if you use <iframe> or not. The only real protection from this attack is to add HTTP header X-Frame-Options: DENY and hope that the browser knows its job.

In addition, IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited. In that case the attacker can expand the XSS attack to any page within the same domain that can be persuaded to load within an <iframe> on the page with XSS vulnerability. This is because content from the same origin (same domain) is allowed to access the parent content DOM (practically execute JavaScript in the "host" document). The only real protection methods from this attack is to add HTTP header X-Frame-Options: DENY and/or always correctly encode all user submitted data (that is, never have an XSS vulnerability on your site - easier said than done).

That's the technical side of the issue. In addition, there's the issue of user interface. If you teach your users to trust that URL bar is supposed to not change when they click links (e.g. your site uses a big iframe with all the actual content), then the users will not notice anything in the future either in case of actual security vulnerability. For example, you could have an XSS vulnerability within your site that allows the attacker to load content from hostile source within your iframe. Nobody could tell the difference because the URL bar still looks identical to previous behavior (never changes) and the content "looks" valid even though it's from hostile domain requesting user credentials.

If somebody claims that using an <iframe> element on your site is dangerous and causes a security risk, he does not understand what <iframe> element does, or he is speaking about possibility of <iframe> related vulnerabilities in browsers. Security of <iframe src="..."> tag is equal to <img src="..." or <a href="..."> as long there are no vulnerabilities in the browser. And if there's a suitable vulnerability, it might be possible to trigger it even without using <iframe>, <img> or <a> element, so it's not worth considering for this issue.

However, be warned that content from <iframe> can initiate top level navigation by default. That is, content within the <iframe> is allowed to automatically open a link over current page location (the new location will be visible in the address bar). The only way to avoid that is to add sandbox attribute without value allow-top-navigation. For example, <iframe sandbox="allow-forms allow-scripts" ...>. Unfortunately, sandbox also disables all plugins, always. For example, Youtube content cannot be sandboxed because Flash player is still required to view all Youtube content. No browser supports using plugins and disallowing top level navigation at the same time.

Note that X-Frame-Options: DENY also protects from rendering performance side-channel attack that can read content cross-origin (also known as "Pixel perfect Timing Attacks").

I'm assuming cross-domain iFrame since presumably the risk would be lower if you controlled it yourself.

  • Clickjacking is a problem if your site is included as an iframe
  • A compromised iFrame could display malicious content (imagine the iFrame displaying a login box instead of an ad)
  • An included iframe can make certain JS calls like alert and prompt which could annoy your user
  • An included iframe can redirect via location.href (yikes, imagine a 3p frame redirecting the customer from bankofamerica.com to bankofamerica.fake.com)
  • Malware inside the 3p frame (java/flash/activeX) could infect your user

"Dangerous" and "Security risk" are not the first things that spring to mind when people mention iframes … but they can be used in clickjacking attacks.

iframe is also vulnerable to Cross Frame Scripting:

Questions with html tag:

Embed ruby within URL : Middleman Blog Please help me convert this script to a simple image slider Generating a list of pages (not posts) without the index file Why there is this "clear" class before footer? Is it possible to change the content HTML5 alert messages? Getting all files in directory with ajax DevTools failed to load SourceMap: Could not load content for chrome-extension How to set width of mat-table column in angular? How to open a link in new tab using angular? ERROR Error: Uncaught (in promise), Cannot match any routes. URL Segment Angular 6: saving data to local storage Vue.js get selected option on @change Bootstrap 4 multiselect dropdown How to add bootstrap in angular 6 project? Angular 5 Button Submit On Enter Key Press Angular 5, HTML, boolean on checkbox is checked How to render string with html tags in Angular 4+? bootstrap 4 file input doesn't show the file name How can I execute a python script from an html button? Bootstrap 4: responsive sidebar menu to top navbar Stylesheet not loaded because of MIME-type Force flex item to span full row width Failed to load resource: the server responded with a status of 404 (Not Found) css Change arrow colors in Bootstraps carousel Bootstrap 4 Dropdown Menu not working? CSS Grid Layout not working in IE11 even with prefixes How to prevent page from reloading after form submit - JQuery Centering in CSS Grid Detecting real time window size changes in Angular 4 Angular 4 img src is not found (change) vs (ngModelChange) in angular Bootstrap 4: Multilevel Dropdown Inside Navigation Align the form to the center in Bootstrap 4 How to style a clicked button in CSS How do I change the font color in an html table? Redirecting to a page after submitting form in HTML Load json from local file with http.get() in angular 2 display: flex not working on Internet Explorer Scroll to element on click in Angular 4 How to extract svg as file from web page force css grid container to fill full screen of device How does the "position: sticky;" property work? HTML5 Video autoplay on iPhone Disable button in angular with two conditions? CSS hide scroll bar, but have element scrollable CSS grid wrapping How to load image (and other assets) in Angular an project? Flask - Calling python function on button OnClick event How can I make Bootstrap 4 columns all the same height? Wrapping a react-router Link in an html button

Questions with security tag:

Monitoring the Full Disclosure mailinglist Two Page Login with Spring Security 3.2.x How to prevent a browser from storing passwords JWT authentication for ASP.NET Web API How to use a client certificate to authenticate and authorize in a Web API Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How does Content Security Policy (CSP) work? How to prevent Screen Capture in Android Default SecurityProtocol in .NET 4.5 JWT refresh token flow If you can decode JWT, how are they secure? JWT (JSON Web Token) automatic prolongation of expiration Explanation of polkitd Unregistered Authentication Agent SecurityError: Blocked a frame with origin from accessing a cross-origin frame SSL Error: unable to get local issuer certificate How to upgrade OpenSSL in CentOS 6.5 / Linux / Unix from source? How to create a laravel hashed password Docker and securing passwords Node.js https pem error: routines:PEM_read_bio:no start line iptables LOG and DROP in one rule How to make a machine trust a self-signed Java application SPA best practices for authentication and session management ASP.NET Identity's default Password Hasher - How does it work and is it secure? Why is it common to put CSRF prevention tokens in cookies? XMLHttpRequest cannot load file. Cross origin requests are only supported for HTTP best practice to generate random token for forgot password Is it possible to decrypt SHA1 How to allow http content within an iframe on a https site Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox? How do I generate a SALT in Java for Salted-Hash? Disable cross domain web security in Firefox Can local storage ever be considered secure? Disable firefox same origin policy How do you Encrypt and Decrypt a PHP String? Best practices when running Node.js with port 80 (Ubuntu / Linode) Run local java applet in browser (chrome/firefox) "Your security settings have blocked a local application from running" Java Error: "Your security settings have blocked a local application from running" Spring Test & Security: How to mock authentication? encrypt and decrypt md5 C - The %x format specifier How to find the privileges and roles granted to a user in Oracle? What are good ways to prevent SQL injection? Found 'OR 1=1/* sql injection in my newsletter database How to avoid reverse engineering of an APK file? OAuth2 and Google API: access token expiration time? How to solve "Kernel panic - not syncing - Attempted to kill init" -- without erasing any user data How to securely save username/password (local)? SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application Securely storing passwords for use in python script

Questions with iframe tag:

Getting all files in directory with ajax YouTube Autoplay not working Inserting the iframe into react component How to disable auto-play for local video in iframe iframe refuses to display iFrame onload JavaScript event YouTube iframe embed - full screen Change New Google Recaptcha (v2) Width load iframe in bootstrap modal Responsive iframe using Bootstrap SecurityError: Blocked a frame with origin from accessing a cross-origin frame Find elements inside forms and iframe using Java and Selenium WebDriver iFrame Height Auto (CSS) Failed to load resource: net::ERR_INSECURE_RESPONSE How to get an IFrame to be responsive in iOS Safari? Resize Cross Domain Iframe Height Insert content into iFrame How to align iframe always in the center How to set an iframe src attribute from a variable in AngularJS HTML embedded PDF iframe HTML5 : Iframe No scrolling? How to allow http content within an iframe on a https site Alternative for frames in html5 using iframes Making an iframe responsive Full Page <iframe> Fitting iframe inside a div difference between iframe, embed and object elements Get HTML inside iframe using jQuery How to get a reference to an iframe's window object inside iframe's onload handler created from parent window Iframe positioning HTML iframe - disable scroll Nested iframes, AKA Iframe Inception Catch error if iframe src fails to load . Error :-"Refused to display 'http://www.google.co.in/' in a frame.." Stop embedded youtube iframe? Get value of input field inside an iframe Change background color of iframe issue How to pick element inside iframe using document.getElementById IFrame: This content cannot be displayed in a frame Detect click event inside iframe How to open a PDF file in an <iframe>? How can I detect whether an iframe is loaded? Resize external website content to fit iFrame width Scale iFrame css width 100% like an image using javascript to detect whether the url exists before display in iframe Creating an iframe with given HTML dynamically Youtube - How to force 480p video quality in embed link / <iframe> Remove scrollbar from iframe Make iframe automatically adjust height according to the contents without using scrollbar? How to handle iframe in Selenium WebDriver using java Safari 3rd party cookie iframe trick no longer working?