Content framing has a long history on the WWW, first being introduced by Netscape Navigator 2 in 1996. Not to be outdone in the browser war, Internet Explorer countered a year later with a new element of their own, the inline frame, or
<iframe>. Iframes are more flexible than the regular kind since they can be placed anywhere within the body.
Nowadays, old-school (Netscape style) frames have fallen out of fashion, but iframes are more popular than ever. They’re used for advertising, social plugins (e.g. Facebook “like” buttons and “Share on Twitter” functionality), webpage widgets, and so on.
72% of the Alexa top 5000 sites have iframes on their landing pages. Of those, each has on average 7.1 iframes. Some sites have well over 50 frames.
Of all these 25,849 iframes on the top 5000 sites, only 10 use the HTML5
sandbox security attribute. That’s a whopping 0.04%! We’ll learn more about this attribute in a bit.
Examining the top 50 sites, there are a lot fewer iframes. But no one is using the aforementioned
sandbox attribute. Of the top 1000, only two sites employ it.
The options for exploitation are numerous. The cute social button you found somewhere online may be useful now, but the author might abandon it later on. When the domain serving the button iframe expires, someone might register it and serve malware instead of the button. This would suddenly make your site spew out malware, mildly annoying your visitors. Ads can also be dangerous. They are supposedly reviewed by ad networks but misbehaving ones have been known to slip through.
HTML5 Security Attributes
HTML5 introduced new attributes which help restrict allowed actions for iframed content. The
Actually there is a trick you can use - wrapping the ad-generating code in your very own iframe and sandboxing that one. Unfortunately, this might be considered a violation of the ad networks’ policy. AdSense discourages users from “manipulating the ad targeting using hidden keywords, IFRAMEs, or any other method”.
The Way Forward
How can we start fixing up the iframe security hole? HTML5 Rocks has an example of how to add the sandbox attribute to Twitter’s tweet button. The same process can - and should - be applied to all the iframes you place on your website. And if you aren’t allowed to modify the iframe code, as is the case for many advertising networks? Carefully consider whether the payoff is worth the risk of granting control of your website to an external party.
Photo credit: Suðureyri, Iceland. Own photo.