Can a sandbox applied on a same origin iframe using CSP Header with allow-same-origin be bypassed?

0
votes

I have an iframe on my web app which I want to sandbox to prevent things like opening of popups, etc. But I also want to allow-same-origin on it for some reasons. So the sandbox attributes I want to apply are: allow-scripts allow-forms allow-same-origin. The ifame is of the same origin as its parent.

Now, if I apply the sandbox using the iframe's sandbox attribute, I know that it can be bypassed by removing the sandbox attribute from the iframe by accessing the parent's DOM.

But what if I apply the sandbox using the sandbox CSP directive. I deliver the CSP using an HTTP Header. Can it be bypassed?

1
htmliframecontent-security-policy

1 Answers

0
votes

The short answer is "yes", it can be bypassed, but this depends on exactly what you do:

  • If you serve the framed page with a CSP header into an iframe using the 'sandbox' directive along with 'allow-scripts' 'allow-forms' and 'allow-same-origin', this won't help you. Sure, the framed page can't change the DOM to remove the restrictions, but the bottom line is that the framed page would have full access to the DOM of the parent window. Basically if you do 'allow-scripts' and 'allow-same-origin' then there's no limitation placed on the javascript that runs.

  • However, if you additionally carefully set script-src and object-src (or default-src) then you can restrict the scripts that are executed to a limited set. This way you can ensure that only your javascript code is run, and you can ensure that said code does not do anything you don't want. The only caveat is that you've got to be real careful setting script-src and object-src because even innocent-looking files sitting on the sever can be used for a CSP bypass in some cases.