Clickjacking and Phishing with help from the HTML5 JavaScript Sandbox

Published on by

HTML5 has some nice new features one of which is JavaScript Sandboxing using iframes. Chrome is currently the only browser to support this but you can be sure others will soon follow. The sandbox allows control over what can be executed within an iframe, it provides the following options.

  • allow-same-origin allows iframe content only from the same domain.
  • allow-top-navigation allows the iframe to change the URI of the parent.
  • allow-forms allows the use of forms inside the iframe.
  • allow-scripts allows JavaScript to run inside the iframe.

If no options are specified for the sandbox then the iframe can only display basic HTML. It can be implemented using the iframe sandbox property as follows:

<iframe src="page.php" sandbox="allow-forms allow-scripts">

The feature is great for an attacker as it allows them to now include pages inside an iframe that previously had some JavaScript iframe breakout code in place. This is great for Clickjacking or Phishing attacks. Lets take a look the most popular way of breaking out of an iframe and show how by simply sandboxing the iframe we can prevent the JavaScript breakout code from working.

<script type="text/javascript">
    if (top.location!= self.location) {
        top.location = self.location.href

And this method works great unless the script has been loaded in a sandboxed iframe that doesn't have the sandboxing options "allow-top-navigation" and "allow-scripts" enabled.

Without either of these options the script just wont work. The great thing is we have some level of granular control, you can have "allow-scripts" on your iframe (which will allow all the JavaScript found in the iframe to run) but you can omit the "allow-top-navigation" which will stop the JavaScript iframe breakout.

There is an elegant solution to prevent this type of attack - the HTTP header "X-Frame-Options" - which is now supported in the latest versions of IE, Firefox, Safari and Chrome. It allows the server to specify if it should allow its content to be loaded from within an iframe by either pages from the same domain (SAMEORIGIN), or not at all (DENY). Surprisingly there aren't many sites using it.

If your running Apache with mod_headers installed you can automatically add this header to all of your pages by adding the following lines to your apache.conf

Header always append X-Frame-Options SAMEORIGIN

Don't forget, X-Frame-Options isn't supported in older browsers so its still worth keeping your existing JavaScript iframe breakout code in place.