There's been a strong push in the P2PU community to allow users to use arbitrary <iframe/> elements in groups


Benefits (Why are we talking about this?)


But there are lots of security risks (see below for a full list). We want to allow more people to add great features.


Suggested Solution




Security Issues

1) Phishing

If any registered user can inject content in a page using an iframe, they can pretty effectively phish a website visitor. Imagine the  attacker creates a page with an iframe that points to http://evil.example.com/mypage.html  (a URL that they control). The iframe displays content with a form requesting personally identifiable information, or even worse, credit card information. An unwitting user may fill out the form thinking they were submitting the information to P2PU (an entity they trust) when in fact it is going to http://evil.example.com/mypage.html.

2) URL Redirection

This can range from annoying to dangerous as it could also be used as part of a phishing scam. Imagine now that http://evil.example.com/mypage.html contains the following snippet of Javascript:

<script type="text/javascript">
    parent.window.location = 'http://p2puu.org/en-US/course-home';
</script>

Where p2puu.org is a domain controlled by the attacker. The page could be dressed to look exactly like a page on p2pu.org  and again, the user can be phished for information, thinking they were  providing it to P2PU (e.g. imagine some faked campaign advertising benefits of paid memberships to P2PU).

The annoying case is simply redirecting them to some other site for either a prank (e.g. a porn site) or some ill fated attempt at generating ad revenue. Oh, they could also display ads on our site :) 

3) Using an iFrame to exploit existing vulnerabilities

Certain sites should never be loaded in an iframe, as an attacker could use clickjacking to trick a user into performing some dangerous operation  (usually some kind of user authorization or unwitting posting of  content). Popular examples are Facebook and Twitter worms. To get around  this, most sites send X-Frame-Options headers that prevent them from  being loaded in iframes in modern browsers or  they use frame busting javascript. Unfortunately not everyone gets this  right... case in point, Adobe still have a vulnerability in Flash that  will allow an attacker to activate a website visitors if they can  clickjack the user. Check it out:

http://www.feross.org/webcam-spy/
 
4) Cross Frame Scripting

There are a number  of data theft scenarios, especially on older browsers. I believe P2PU  uses HttpOnly cookies, but some older browsers could still be  compromised. More details here:

https://www.owasp.org/index.php/Cross_Frame_Scripting

Notice that a lot of the attack scenarios described in that link rely on an attacker exploiting an XSS vulnerability to inject an iframe on a compromised site... you'd basically be allowing registered users to skip  that step.

5) Message sending between iframe and parent\

An iframe on a page could  send messages to the parent. It is important to make sure to properly  filter on event.origin as documented at https://developer.mozilla.org/en/DOM/window.postMessage

6) Third Party Tracking

A user visiting a page that contains an iFrame will automatically send a request to the domain specified within the iFrame. This request to the third party domain will contain the parent page within the referrer header and also any established cookies that the user has with the third  party domain. As a result, a third party domain can track a users activity across any website where the iFrame has been placed.