- allow-same-origin allows iframe content only from the same domain.
- allow-top-navigation allows the iframe to change the URI of the parent.
- allow-forms allows the use of forms inside the iframe.
If no options are specified for the sandbox then the iframe can only display basic HTML. It can be implemented using the iframe sandbox property as follows:
<iframe src="page.php" sandbox="allow-forms allow-scripts"> </iframe>
And this method works great unless the script has been loaded in a sandboxed iframe that doesn't have the sandboxing options "allow-top-navigation" and "allow-scripts" enabled.
There is an elegant solution to prevent this type of attack - the HTTP header "X-Frame-Options" - which is now supported in the latest versions of IE, Firefox, Safari and Chrome. It allows the server to specify if it should allow its content to be loaded from within an iframe by either pages from the same domain (SAMEORIGIN), or not at all (DENY). Surprisingly there aren't many sites using it.
If your running Apache with mod_headers installed you can automatically add this header to all of your pages by adding the following lines to your apache.conf
Header always append X-Frame-Options SAMEORIGIN