Hacker News new | ask | show | jobs
by bawolff 340 days ago
> Security teams have raised red flags about iframes for years. Cross-frame scripting, clickjacking, and credential phishing are common exploits, since the frame executes third-party code inside your trusted domain

I would disagree.

Yes iframes have security risks, but they generally pale in comparison to giving some other random site full control of your page, which is the alternative.
3 comments
tasn 340 days ago
Another alternative is loading a library and setting it to a fixed version.

You're still giving a 3rd party full access to your website, but at least it's more auditable and safe.

Fwiw, I think iframes are great!

link
bawolff 340 days ago
While i agree that is better than nothing, i've always had my doubts about this approach.

Do people really audit such code? I doubt it. Does the code really not insert any additional code that allows bypassing the whole scheme (esp. If the point is to dynamically insert content).

I also think most of the time, the biggest threat is not the vendor being intentionally evil but the vendor making a mistake that leads to XSS which someone else exploits. After all, if the vendor is intentionally being malicious they can probably sneakily bypass this sort of thing.

link
tasn 339 days ago
How is that different to any other library? Supply chain risk is a big problem.
link
bawolff 339 days ago
Supply chain risk gets all the headlines, but personally i think its a bit overhyped.

That said, things like SRI don't really fully fix the supply chain issue. Supply chain issues usually mean the developer intentionally upgrades to a new version, that unbeknownst to them is malicious. It is usually not about a resource getting replaced with nobody realizing it, everyone realizes the upgrade is happening. In such a situation it is likely SRI hashes would get upgraded too.

Solutions like hashes or digital signatures are useless if the person being tricked is the one responsible for signing things.

link
NoahZuniga 340 days ago
Also clickjacking isn't a security risk for the page embedding the iframe. This shows fundemental misunderstanding.
link
johnisgood 340 days ago
I have never understood the argument against iframes involving security.
link
icedchai 340 days ago
Many of these arguments are context dependent. If I embed an iframe, then ask a user to log in / provide credentials to whatever is loaded into that iframe, I can see the argument since it is difficult to for the user to verify the origin. However, for something "read only" like a dashboard, I really don't see the argument.
link