My website has an iframe used for loading my client's websites (only 5).How can I make sure the iframe is secure? Also by editing iframe src
It allows to load any other websites.How can I prevent it?
-
3What exactly do you want to prevent? What do you mean by "editing iframe src"?– JoelCommented Aug 1, 2013 at 15:26
1 Answer
There is no way to dictate how a client chooses to execute the HTML/JavaScript you provide. This should never be a security concern. If you are loading this iframe src
based on a GET variable, then this is XSS: http://site?iframe_src=javascript:alert(document.cookie)
. In this condition an attacker can introduce JavaScript into another user's session, and this is a serious security concern.
If a site can be placed within an iframe, then it is vulnerable to ClickJacking. This does not expose the parent site that hosts the iframe, but rather any site is subject to this type of manipulation. There are ways of mitigating ClickJacking for sites that must be frame-able.
-
OMG. When I checked that, I got javascript pop up.How Can I block it? Commented Aug 5, 2013 at 4:06
-
-
-
@so you have a GET variable
iframe_src
, seeing as HTTP variables are attacker controlled and the basis of 99.9999999999999999% of all web app vulnerabilities this should be a concern. Before you write this variable to the page, make sure it is a url you trust. Done!– rookCommented Aug 6, 2013 at 3:52