[whatwg] Security Issue- Iframe Sandbox attribute - Clarity of operation

Sethu mathavan siyan.mady at gmail.com
Tue Mar 6 05:58:37 PST 2012

Im a professional application pentester. i developed and tested my own
html5 web application with iframes included in it.

My code for iframe  is <iframe src="xyz.htm" sandbox="">.
Expected working is that scripts in the "xyz.htm" should not be executed.
Normally,it works fine.

But i was able to alter the sandbox attribute by intercepting and modifying
the  the response with a proxy tool as follows:
<iframe src="xyz.htm" sandbox="allow-same-origin allow-scripts">
Now, browser allows the script in xyz.htm to get executed and original
functionality is altered.

The main purpose of implementing the sandbox attribute is to restrict the
contents within the particular frame. But that very purpose is being
compromised. This facilitates the Man-in-the-middle attack. Is this the
intended working of the attribute or is there any modifications planned for
the future? Need more clarification on this.

Application Pentester.

More information about the whatwg mailing list