[WEB SECURITY] iFrame secure or not

application.secure application.secure application.secure at gmail.com
Sat Aug 30 09:56:30 EDT 2008


Thanks.
In an integration of two websites, is it more secure to use iFrame or to
integrate the content of the website directly in the parent website (only in
a security point of view).
For me, if we have to integrate content from other website, it's more secure
to use iFrame.
If we integrate directly the content in the parent website, we can do
everything what Iframe "issues" allow + a lots of other dangerous thing...

Am I right?
-------- Original Message --------

> Subject: Re: [WEB SECURITY] iFrame secure or not
> Date: Fri, 29 Aug 2008 12:56:52 -0400 (EDT)
> From: bugtraq at cgisecurity.net
> To: application.secure at gmail.com (application.secure application.secure)
>
> If you are considering using iframes ensure you have your expectations set
> appropriately.
>
> - iframe's should not be able to view content/cookies from another domain
> - iframe children CAN view certain properties and execute certain behaviors
>        - parent.window.blur
>        - parent.window.opener
>        - parent.window.length
>        - others
>
> - iframe children CAN redirect the parent frame to a new location (great
> for
> phishing)
>        - parent.location.href
>        - parent.window.location
>
> Parent (bar.com)
> <IFRAME id='topframe' name="Frame1"
> src="http://foo.com/child.html"></iframe>
>
> Child (tested in ff)
> <button name='changeFrame'
> onclick="parent.window.location='http://www.cnn.com
> ';">parent.window.location</button><br>
> <button name='changeFrame'
> onclick="parent.location.href='http://www.cnn.com
> ';">parent.location.href)</button><br>
>
>
>
> IE does have support to restrict script execution within a child frame.
>
> Security Attribute
> http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx<http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx>
>
> Would be great if firefox had a similar thing. :)
>
> Regards,
> - Robert
>
> >
> > ------=_Part_17653_31757523.1219994192744
> > Content-Type: text/plain; charset=ISO-8859-1
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > In the web development world, IFrame are always targeted as insecure
> > component.
> > People say: "Do not use iframe, it's insecure", "Iframe allows iframe
> > injection and phishing attack", ...
> >
> > I want to put this topic in perspective.
> > In the web 2.0 world it's probably more secure to integrate widget in
> iframe
> > than in the master page itself (at DOM level).
> >
> > In a outsourced web application integration project (partner1 will
> integrate
> > his application into partner2 's portal), i think also that it is more
> > secure to use Iframe (especially if partner1 has his own policy and
> security
> > guidelines).
> >
> > So, IFrame are not always insecure! It could be sometimes the best choice
> to
> > secure your web application and limit your application attack surface
> > area...
> >
> > Comments are welcome
> >
> > ------=_Part_17653_31757523.1219994192744
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > <div dir="ltr">In the web development world, IFrame are always targeted
> as
> insecure component.<br>People say: "Do not use iframe, it's
> insecure", "Iframe allows iframe injection and phishing attack",
> ...<br>
> > <br>I want to put this topic in perspective. <br>In the web 2.0 world
> it's probably more secure to integrate widget in iframe than in the master
> page itself (at DOM level).<br><br>In a outsourced web application
> integration
> project (partner1 will integrate his application into partner2 's portal),
> i think also that it is more<br>
> > secure to use Iframe (especially if partner1 has his own policy and
> security
> guidelines).<br><br>So, IFrame are not always insecure! It could be
> sometimes
> the best choice to secure your web application and limit your application
> attack surface area...<br>
> > <br>Comments are welcome<br><br><br></div>
> >
> > ------=_Part_17653_31757523.1219994192744--
> >
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080830/34b995f1/attachment.html>


More information about the websecurity mailing list