<iframe sandbox src="http://example.com"></iframe>
There's also ' frame-src' for content security policies, which lets you control what is allowed in the iframe's src. Even with these guards in place, you generally should not let user content drive an iframe's src
Why is CSP so under-utilized? Less than 0.2% of the top 1m sites. Although only 9% use basic features like secure cookies, and 6% HSTS.
I think a few reasons:
1. It's not a sufficient replacement for sanitizing input. You need to sanitize; CSP is just an extra layer of protection.
2. relative new.
3. many popular frameworks don't support it out of the box.
Lots of sites have marketing departments which like to switch out their advertising, engagement, A/B testing, etc. code on a regular basis. Which in turn requires either changing the CSP frequently to accommodate, or else opening holes in the CSP to allow marketing to just copy/paste inline JS and other badness. At which point it's hard to justify CSP.
The spec versions are interesting to read too, as well as browser compatibility. Differences in interpretation of the spec lead to github issues which lead to browsers fixing things in the past few months that have been part of the spec for much longer. (And if you have a big chunk of IE11 users, "what's the point" is valid.) An example of a spec issue is that I'm working on adding an endpoint for the report-uri directive so we can log some metrics but the first thing you see when reading about report-uri is that it's been deprecated in favor of report-to, but literally no stable browser release supports report-to yet.
It's also not really enough. https://github.com/tc39/proposal-frozen-realms is a useful extension, since it would allow frameworks to do what they need to set up everything but then lock down objects from further extension/abuse...
It's especially annoying on github.
That said, that report also notes that there is growth. A site I manage, https://bestpractices.coreinfrastructure.org , does use CSP in practically every page. There's one page where we had to weaken the CSP requirements, but that page doesn't include any data directly created by a user (so the risk is not low). The most recent version of CSP has some features that may make transition easier (once sites believe they can depend on it). There's reason to hope that CSP will become more common, but it's going to take time.
The spec revisions are a little arduous, but in my experience the biggest problem is that any site big enough to start caring about CSP is also big enough to have a myriad of trackers and JS snippets that insist on using these unsafe features. Google Tag Manager might as well have been based on weaponized XSS payloads.
And now the technical problem is actually a human problem because some poor security schmuck has to convince a totally different team with a totally different reporting structure (those trackers likely go up into sales or marketing, possibly some random SEO contractor you've barely heard of!) to prioritize a pretty fundamental change.
Maybe the security person tries to walk up their reporting chain until the two converge, possibly at the CEO. But it sure sounds like you're trying to kill a feature for intangible goals (it may or may not prevent an XSS vuln, you say?). And the team that owns the feature will tell you they can directly attribute growth to the visibility they get from that feature.
Even when it isn't SEO's fault, a lot of sites legitimately use inline scripts in order to shovel some server-side JSON into the rendered HTML quickly where eventually some JS can access it for example. You can use DOM elements with data attributes, but that's probably not how it works today because that's not the obvious way to do it.
What happens if a site:
- allows 'unsafe-inline' as a script-src
- does not allow untrusted domains in frame-src
That essentially means frame-src is set to that same thing since it’s not specified. So the bypass in the example would still work since it’s iframing the same (trusted) domain even if they explicitly specify frame-src.
That being said, this technique might still work in theory on whatever domains you have specified in frame-src if it doesn’t include ‘self’.
So if you’re foo.com and frame-src only allows bar.com. If you managed to get script into foo.com maybe you could put an iframe pointing to bar.com/reallylongorinvalid
That being said I haven’t had a chance to try this out on my machine yet so I could be missing something
Also it looks like their demo includes sandbox allow-same-origin and allow-scripts in its CSP.
So if the domain you are currently on listed in frame-src it looks like you would be safe from this. But if you explicitly set frame-src to include either 'self' or the domain itself then you would still be vulnerable to this.
> But if you explicitly set frame-src to include either 'self' or the domain itself then you would still be vulnerable to this.
- There is a site foo.com, which has a CSP, but allows iframes from self or foo.com
- A user is able to inject some XSS to open an iframe to foo.com/50x.html, an nginx page with no CSP. Since CSP allows our own site to be used in iframes, this is allowed.
- In that page, further JS is injected to extract secrets from the foo.com parent page and connect them to remote networks. Since foo.com/50x.html has no CSP, this is allowed.
This is of course not bypassing CSP.