保護DataHogo
Security Encyclopedia/Frontend & Browser
mediumCWE-693A05:2021

Iframe Without Sandbox Attribute

Third-party or user-generated content loaded in an iframe without the sandbox attribute, allowing that content to run scripts, access parent cookies, and navigate the top-level frame.

How It Works

An unsandboxed iframe runs with the same capabilities as your own JavaScript. It can access document.cookie (for non-HttpOnly cookies), navigate the parent window, and make requests. The sandbox attribute restricts what the iframe can do — a sandboxed iframe with no additional permissions is essentially isolated.

Vulnerable Code
// BAD: iframe with no sandbox
<iframe src="https://third-party-widget.com/embed" />
// Or user-provided URL:
<iframe src={userProvidedUrl} />
Secure Code
// GOOD: sandbox with only required permissions
<iframe
  src="https://third-party-widget.com/embed"
  sandbox="allow-scripts allow-same-origin"
  // Only add permissions you actually need:
  // allow-forms, allow-popups, allow-modals
/>

Real-World Example

If you embed user-provided URLs (like a 'preview' feature) without sandbox, users can submit URLs containing pages that attempt to navigate your top-level window (window.top.location) or access your cookies. This is exploited in phishing and session hijacking.

How to Prevent It

  • Always add the sandbox attribute to iframes loading external or user-provided content
  • Start with just sandbox (no values) and add only the permissions you actually need
  • Never add allow-same-origin unless absolutely necessary — it defeats sandboxing for same-origin iframes
  • Combine with CSP frame-src to control which origins can be framed

Affected Technologies

ReactNext.jsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

DOM-Based XSS

high

Malicious scripts executed by reading attacker-controlled data from the URL or browser APIs and writing it to the DOM using dangerous sinks like innerHTML or document.write.

CWE-79A03:2021

Stored XSS

high

User-supplied content saved to the database without sanitization and rendered in the browser as HTML, allowing persistent script injection that executes for every user who views the content.

CWE-79A03:2021

PostMessage Without Origin Verification

medium

window.addEventListener('message') handlers that process messages without checking the event.origin, allowing any website to send commands to your app's message handler.

CWE-346A01:2021

Advanced Clickjacking

medium

Absence of both X-Frame-Options and CSP frame-ancestors headers, combined with no client-side frame-busting logic, leaving the app fully embeddable in malicious iframes.

CWE-1021A05:2021