What iFrame Security Advice Can You Give me ?

@novice2022Dec 14.2022

Howdy Folks,

As you have failed to guess, 🙂 I want to open iframes, more than one, to some of my webpages from other webpages.
What do I need to be careful off so no crook injects anything malicious on my site or on my visitors’ clientsides ?

Q1.
Which of these attributes, mentioned in the tutorial, do I need to add or ignore on my iFrames for the sake of preserving security so no holes popup ?

allow
allowfullscreen
height
loading
name
referrerpolicy
sandbox
src
srcdoc
width

https://www.w3schools.com/tags/tag_iframe.ASP

Bear in mind, I won’t be using Javascript on my website or iFrame pages.
Only html, php and maybe css.

I know this is lame for security purpose:

[code] <iframe src=”https://www.w3schools.com” title=”W3Schools Free Online Web Tutorials”> </iframe> [/code]

And, as you have managed to guess correctly this time, the same questions also go for if I want to open iFrames to third party sites and I do not want to jeopordise security on my end, visitor’s end or the site’s end to where I open the iFrames to. I must have security intact. Do not want other sites getting harmed or my website visitors getting harmed by internet malicious crooks due to my insecured iFrame codes and find myself getting sued left & right.
How would you code the iFrames on both cases ?

to post a comment

PHP

21 Comments(s) _↴

@novice2022authorDec 14.2022 — #@sempervivum

Just wondering if you used frames more over iFrames or the other way round. If so, then why ?

I do not see any real difference between the two and so do not understand why wc3 substituted frames with iFrames!

Q2.

Ok. Which of these sandbox attributes, mentioned in the tutorial, do I need to add or ignore on my iFrames for the sake of preserving security so no holes popup on my iframes that open to my own pages ?

allow-forms

allow-pointer-lock

allow-popups

allow-same-origin

allow-scripts

allow-top-navigation

https://www.w3schools.com/tags/att_iframe_sandbox.asp

Same question goes for opening iFrames to theird party sites.

Again, bear in mind, I won't be using Javascript on my website or iFrame pages.

Only html, php and maybe css.

@novice2022authorDec 14.2022 — #Q3.

Let us see how you would do the codings yourselves. :)

@novice2022authorDec 14.2022 — #Q4.

How to foil their measures ? You know, when some websites foil you opening their pages on iFrames.

Should I be using instead .... ?

iframe srcdoc

@novice2022authorDec 14.2022 — #@NogDog

Q5.

Is it possible to get iFrame auto edit text before opening the iFramed page ?

Eg. Let us say, nogdog.com/forum has the text 'Doggy's Forum' on the page and I want to have the word/text 'forum' changed to 'message board'. Now when the page loads in the iFrame, the following text should not be shown:

''NogDog's Forum'

But get shown instead:

'NogDog's Message Board'

Same question goes for changing links.

And changing parts of the html or css code or even javascript in the iFrames page.

Changes can be made based on regex pattern. Yes ?

@novice2022authorDec 14.2022 — #@ginerjm

Why do I get the feeling you have stopped using iFrames ?

Q6.

I read now this benefit about Sand box:

**"Unique origin treatment. All content is treated under a unique origin. The content is not able to traverse the DOM or read cookie information.

This means that even content coming from the same domain is treated with the cross-domain policy, as each IFRAME content will be viewed as a unique origin."**

https://www.htmlgoodies.com/news/html-iframe-sandbox/

To be honest, I really do not think opening iFrames to my site's own pages would be a security issue. And so, not bothering with the SandBox on this case.

What do you say about my opinion ?

@novice2022authorDec 14.2022 — #Q7.

This is very puzzling!

I read ....

**allow-same-origin

By default, an IFRAME page from the same domain has the possibility to access the parent’s document object model.

With the sandbox attribute in place, the page will be treated as not being from the same origin. This page has no access to the resources, even when coming from the same domain.

To re-enable same-origin treatment in a sandboxed scenario, you have to specify the allow-same-origin attribute.**

<iframe sandbox=”allow-same-origin” src=”xyz.html”></iframe>

**The value itself is not very helpful, as you need some script capabilities to make use of it.

For example, if you want to access the local storage of the current domain like this:**

 function loadFromStorage( key ) {
 
   if( localStorage ) {
 
   return localStorage.getItem( key );
 
   }
 
   });

**…you also need the allow-scripts value:**

<iframe sandbox=”allow-scripts allow-same-origin” src=”xyz.html”></iframe>

**Now access works!

But be warned: Allowing multiple scripts in the same sandbox can lead to security vulnerabilities. For example, your hosted content can manipulate the attributes of the sandbox and remove further restrictions.**

My question is, why is it security issue when I am opening the iFrame to another webpage of mine on my same website ? Obviously, I won't have malicious codes on my iFramed page to damage or steal things of my page that is opening the iFrame. Now would I ?

So, what is the big fright-issue here ?

I do not understand!

Question arose after reading the Sand Box's 'allow-scripts' section here:

https://www.htmlgoodies.com/news/html-iframe-sandbox/

@novice2022authorDec 14.2022 — #@sempervivum

I would appreciate your valuable inputs.

Thanks!

@novice2022authorDec 22.2022 — #@tracknut

Care to be kind enough to chime in ?

@novice2022authorDec 22.2022 — #@NogDog

@sempervivum

Reading this tutorial now but I deem I will not understand 75% of it as I not experienced techno like you lot.

If you interested to brush up on iFrame security cos you not been using iFrames for a long time now then be my guest to read it as I think I can later-on (one day in the near future) make use of what you understood from it that I did not understand myself reading it as I hardly understand techno jargon and need things explained to me in layman's lang like you usually explain things to me.

https://blogs.halodoc.io/iframe-security-threats-and-the-prevention/

@novice2022authorDec 22.2022 — #FolkS,

For example, let us say, I write a searchengine where the SERP does not list search result links like the traditional searchengines but actually goes and just opens the search result links via iFrames.

So instead of showing 10 SER Links per SERP, it shopws 10 iFrames opening to the 10 SER Links (search result links).

Now my SE (searchengine) cannot be dealing with millions of APIs and the like. Now can it ?

Imagine Google dealing with 1 billion websites' 1 billion APIs and Ajaxes.

That was just one typical expample why I would want to use an iFrame.

@Ginerjm

I know you will reply to use APIs and Ajax instead. Hence, answering in adv.

A good reading:

https://blogs.halodoc.io/iframe-security-threats-and-the-prevention/

Just read it. Now reading the other links it linked to.

If you free, do read them.

Thanks!

@novice2022authorDec 22.2022 — #@sibert

You an expert on iFrames ?

@AnawilliamDec 23.2022 — #To preserve security when using <iframe> elements, you should consider the following attributes:

src: This attribute specifies the URL of the page that will be loaded in the <iframe>. You should make sure that the URL is from a trusted source and that you are only loading content that you want to display.

sandbox: This attribute allows you to specify a list of restrictions that should be applied to the <iframe>. For example, you can use the sandbox attribute to disable JavaScript, prevent the <iframe> from making requests to other domains, or block form submissions.

@AliArsalanDec 24.2022 — #Hello I am Ali Arsalan from Techkluster IT company.

**Link removed by moderator**

@novice2022authorDec 28.2022 — #@Anawilliam#1649393

Thank you very much for your vauable response.

I read through all the iFrame attributes and most of their descriptions I do not understand.

Are you familiar with the attributes and are you willing to answer questions that may sound silly to you ?

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attributes

Hello Folks,

Why does this iFrame fail ?

<i>
 </i>&lt;iframe src="http://ebay.com" sandbox&gt;
 &lt;p&gt;Your browser does not support iframes.&lt;/p&gt;
 &lt;/iframe&gt;

Why this Sand Box code fails ?

@novice2022authorDec 28.2022 — #Programmers,

This is very puzzling!

I read ....

**allow-same-origin**

**By default, an IFRAME page from the same domain has the possibility to access the parent’s document object model.**

**With the sandbox attribute in place, the page will be treated as not being from the same origin. This page has no access to the resources, even when coming from the same domain.**

**To re-enable same-origin treatment in a sandboxed scenario, you have to specify the allow-same-origin attribute.**

<i>
 </i>&lt;iframe sandbox=”allow-same-origin” src=”xyz.html”&gt;&lt;/iframe&gt;

**The value itself is not very helpful, as you need some script capabilities to make use of it.**

**For example, if you want to access the local storage of the current domain like this:**

<i>
 </i> function loadFromStorage( key ) {
 
 <i>    </i>if( localStorage ) {
 
 <i>    </i>       return localStorage.getItem( key );
 
 <i>    </i>}
 
 });

**…you also need the allow-scripts value:**

<i>
 </i>  &lt;iframe sandbox=”allow-scripts allow-same-origin” src=”xyz.html”&gt;&lt;/iframe&gt;

**Now access works!**

**But be warned: Allowing multiple scripts in the same sandbox can lead to security vulnerabilities. For example, your hosted content can manipulate the attributes of the sandbox and remove further restrictions.**

My question is, why is it security issue when I am opening the iFrame to another webpage of mine on my same website ? Obviously, I won't have malicious codes on my iFramed page to damage or steal things of my page that is opening the iFrame. Now would I ?

So, what is the big fright-issue here ? I do not understand!

Question arose after reading the Sand Box's 'allow-scripts' section here:

https://www.htmlgoodies.com/news/html-iframe-sandbox/

@novice2022authorDec 28.2022 — #@AnnaWilliam

I read through all the iFrame attributes and most of their descriptions I did not understand, I am afraid.

Hence, just gonna use code like this for security purpose by Sand Boxing everything when opening iFrames to third party websites:

<iframe src="http://third-party-site.com" sandbox>
   <p>Your browser does not support iframes.</p>
  </iframe>

And, I will use following to open iFrames to my other pages:

<iframe src="http://mysite.com">
   <p>Your browser does not support iframes.</p>
  </iframe>

What is your professional opinion on my steps ?

Thanks!

@novice2022authorDec 28.2022 — #Web Designers,

This is very very odd!

I have page on my local host: iframe_Test.html.

The page has iFrame code opening to: register.php.

This following code prevents the Register Form from working:

<iframe src="register_Template.php" sandbox="allow-same-origin" sandbox="allow-forms">

<p>Your browser does not support iframes.</p>

</iframe>

However, rearranging the code does not prevent the form from working!

<iframe src="register_Template.php" sandbox="allow-forms" sandbox="allow-same-origin">

<p>Your browser does not support iframes.</p>

</iframe>

Strange! How so ?

Both files are on the same directory. The page that has the iFrame and the page that is the src of the iFrame.

This beats me! Puzzling!

@novice2022authorDec 28.2022 — #@NogDog

Do you mind chiming in and see if you can solve this latest issue I am facing ? I mentioned about it in my previous post.

@novice2022authorDec 28.2022 — #Folks,

I read through all the iFrame attributes and most of their descriptions I did not understand, I am afraid.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox

Hence, just gonna use code like this for security purpose by Sand Boxing everything when opening iFrames to third party websites:


 <iframe src="http://third-party-site.com" sandbox>
 <p>Your browser does not support iframes.</p>
 </iframe>

And, I will use following to open iFrames to my other pages:


 <iframe src="http://third-party-site.com" sandbox>
 <p>Your browser does not support iframes.</p>
 </iframe>

Is this ok for security purpose or I am tripping over ?

@novice2022authorDec 28.2022 — #@NogDog

Have you experienced anything like these before ?

If I uninstall Xampp and reinstall, then my database & tables will get deleted.

@novice2022authorJan 08.2023 — #@NogDog

How much you know about iFrames ? Do you mind chiming in ?

Also in #PHP _↴

add code for today date in my php class/function PHP Contact form file import data from .sql file into mysql

Success!

Help @novice2022 spread the word by sharing this article on Twitter...

Tweet This

What iFrame Security Advice Can You Give me ?

21 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

What iFrame Security Advice Can You Give me ?

21 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

21 Comments(s) _↴

Also in #PHP _↴