What is security risk of allow-same-origin sandbox on iframe from 3rd party host?

1
votes

What exactly is the security risk of sandbox="allow-same-origin" on an iframe where the document is loaded from a 3rd party?

I've read tons of answers here and elsewhere that explain what it does; it allows the 3rd party site to access resources of the 3rd party site. It doesn't allow access to the host at all (as is incorrectly claimed in many places).

So what's the security risk?

References:

Accepted answer incorrectly claims allow-same-origin allows access to host:

Is it safe to have sandbox="allow-scripts allow-popups allow-same-origin" on <iframe />?

Security Risks of Including a 3rd party iframe

Answers says use sandbox, good, so how is there still a risk with allow-same-origin?

Security Risks of Including a 3rd Party iFrame

1
htmlsecurityiframesame-origin-policy

1 Answers

0
votes

Without this, your page where iFrame is embedded can access the contentWindow.document of the iFrame (and only if it's on the same origin, or embedded with srcdoc). Although it's pretty much given that you'll control JS on your page, that's the only risk I've managed to discover for this answer.