src
indicating an URL (the URL may be cross origin or same origin)src
indicating the content using the data:
protocolsrcdoc
indicating the contentpython3 -m http.server
) you will notice that all the scripts will be executed (as there is no CSP preventing it)., the parent won’t be able to access the secret
var inside any iframe and only the iframes if2 & if3 (which are considered to be same-site) can access the secret in the original window.
Note how if4 is considered to have null
origin.self
value of script-src
won’t allow the execution of the JS code using the data:
protocol or the srcdoc
attribute.
However, even the none
value of the CSP will allow the execution of the iframes that put a URL (complete or just the path) in the src
attribute.
Therefore it’s possible to bypass the CSP of a page with:if1
and if2
scripts are going to be executed but only if1
will be able to access the parent secret.script-src 'none'
. This can potentially be also done abusing a same-site JSONP endpoint.script-src 'none'
. Just run the application and access it with your browser:sandbox
attribute enables an extra set of restrictions for the content in the iframe. By default, no restriction is applied.sandbox
attribute is present, and it will:<embed>
, <object>
, <applet>
, or other)sandbox
attribute can either be empty (then all restrictions are applied), or a space-separated list of pre-defined values that will REMOVE the particular restrictions.data.body
, so in order to send your own html data to that code you need to bypass e.origin !== window.origin
.//example.org
is embeded into a sandboxed iframe, then the page's origin will be null
, i.e. window.origin === 'null'
. So just by embedding the iframe via <iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php">
we could force the null
origin.SameSite=None
).allow-popups
is set then the opened popup will inherit all the sandboxed attributes unless allow-popups-to-escape-sandbox
is set./iframe.php
), as window.origin === e.origin
because both are null
it's possible to send a payload that will exploit the XSS./iframe.php
. Because the identifier is known, it doesn't matter that the condition window.origin === e.origin
is not satisfied (remember, the origin is the popup from the iframe which has origin null
) because data.identifier === identifier
. Then, the XSS will trigger again, this time in the correct origin.