iframe 如何删除自己的沙盒?
How can an iframe remove its own sandboxing?
我正在使用同源 iframe 加载外部小部件(tlk.io 通过跨源脚本加载)。我正在尝试为 iframe/widget 提供尽可能低的权限,以将其与我的应用程序隔离。
MDN 给出以下警告:
Notes about sandboxing:
When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Firefox devtools 向我显示此警告:
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.
我的问题是:在这种情况下 (sandbox="allow-same-origin allow-scripts") iframe 如何删除其沙箱?什么 js 代码会执行此操作?
在 iframe 中,我尝试查看 window.opener,但它是空的。 window.parent 不是指父级(编辑:不正确,我错误地使用了 devtools)。我无法从 iframe 本身找到对 «iframe» 的引用...
您将自己暴露给 DOM iframe 操纵。
有了这两个沙盒属性,没有什么可以阻止嵌入式框架用新的 iframe 替换自己。具有任何权限的 iframe 启用。
index.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Bad Sandboxing</title>
</head>
<body>
<p>This is here to space out iframe</p>
<iframe
src="malicious_child.html"
sandbox="allow-same-origin allow-scripts"
id="mountPoint"
>
</iframe>
<p>This is here to space out iframe</p>
</body>
</html>
malicious_child.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Child</title>
</head>
<body>
<script type="text/javascript">
document.body.innerText = "Loaded into a frame.";
let parent = window.parent;
let oldIframe = parent.document.getElementById("mountPoint");
if (oldIframe != null) {
// Build a new iframe to replace the old one.
let newIframe = parent.document.createElement("iframe");
newIframe.setAttribute("src", "malicious_child.html");
newIframe.setAttribute("id", "maliciousFrame");
// Replace Old iFrame
oldIframe.replaceWith(newIframe);
} else {
// When new frame is mounted you will see this alert
alert(
"This should not happen since the original iframe did not have 'allow-modals'."
);
}
</script>
</body>
</html>
这是一个 Code Sanbox 的设置。
我正在使用同源 iframe 加载外部小部件(tlk.io 通过跨源脚本加载)。我正在尝试为 iframe/widget 提供尽可能低的权限,以将其与我的应用程序隔离。
MDN 给出以下警告:
Notes about sandboxing:
When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Firefox devtools 向我显示此警告:
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.
我的问题是:在这种情况下 (sandbox="allow-same-origin allow-scripts") iframe 如何删除其沙箱?什么 js 代码会执行此操作?
在 iframe 中,我尝试查看 window.opener,但它是空的。 window.parent 不是指父级(编辑:不正确,我错误地使用了 devtools)。我无法从 iframe 本身找到对 «iframe» 的引用...
您将自己暴露给 DOM iframe 操纵。
有了这两个沙盒属性,没有什么可以阻止嵌入式框架用新的 iframe 替换自己。具有任何权限的 iframe 启用。
index.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Bad Sandboxing</title>
</head>
<body>
<p>This is here to space out iframe</p>
<iframe
src="malicious_child.html"
sandbox="allow-same-origin allow-scripts"
id="mountPoint"
>
</iframe>
<p>This is here to space out iframe</p>
</body>
</html>
malicious_child.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Child</title>
</head>
<body>
<script type="text/javascript">
document.body.innerText = "Loaded into a frame.";
let parent = window.parent;
let oldIframe = parent.document.getElementById("mountPoint");
if (oldIframe != null) {
// Build a new iframe to replace the old one.
let newIframe = parent.document.createElement("iframe");
newIframe.setAttribute("src", "malicious_child.html");
newIframe.setAttribute("id", "maliciousFrame");
// Replace Old iFrame
oldIframe.replaceWith(newIframe);
} else {
// When new frame is mounted you will see this alert
alert(
"This should not happen since the original iframe did not have 'allow-modals'."
);
}
</script>
</body>
</html>
这是一个 Code Sanbox 的设置。