Question

16

Detect if JavaScript is Executing In a Sandboxed Iframe?

rated 0 times [ 17] [ 1] / answers: 1 / hits: 6048 / 9 Years ago, fri, april 3, 2015, 12:00:00

I have a product that's playing a video in Flash (if available), and falls back to HTML5 if Flash isn't available.

I'm not able to find a way to determine if JavaScript is executing within an Iframe with the sandbox attribute, which is necessary for my solution because sandboxed iframes disable all plugins. The sandboxed iframe could be as simple as this:

<iframe src=http://www.cross-domain.com/ sandbox=allow-scripts>

To determine if Flash is enabled, I'm using swfobject's method of checking navigator.plugins[Shockwave Flash].description, which is set even when in a sandboxed iframe. I can load the swf object, but it doesn't play.

To reproduce this issue, visit http://jsfiddle.net/max_winderbaum/9cqkjo45/, open your chrome inspector and click Run. The script on the cross-domain site will pause in the context of the sandboxed iframe.

According to the W3 spec at http://dev.w3.org/html5/spec-preview/browsers.html#sandboxing-flag-set, there is supposed to be an active sandboxing flag set on the document that JavaScript can access (at least that's how I'm reading the spec). There doesn't seem to be any flag set on the iframe's document.

Does anyone have any ideas / solutions on how to detect if JavaScript is executing from within a sandboxed iframe?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

hayleevalenciac

Add To Favorites

Follow

Total Points: 164

Total Questions: 89

Total Answers: 106

Location: Burkina Faso

Member since Thu, Dec 15, 2022

2 Years ago

hayleevalenciac questions

1 open modal automatically in livewire component it doesn't work

Wed, Aug 12, 20, 00:00, 4 Years ago

1 Axios requests with express, node, ejs

Thu, Jan 23, 20, 00:00, 4 Years ago

1 Regular expression validation in React Js for Input

Tue, Jan 7, 20, 00:00, 5 Years ago

1 I can't get Babel Optional Chaining Operators to work in glitch

Fri, Nov 1, 19, 00:00, 5 Years ago

1 Material UI Text Field, Current Cursor Position

Thu, Oct 17, 19, 00:00, 5 Years ago

View All

answered 9 Years ago jensenb · Accepted Answer

A project sandblaster can help you detect if you running being sandboxed.

Sandbox check if itself is framed first and then scans through the attributes of the frame element to detect several information about itself. These includes framed, crossOrigin, sandboxed, sandboxAllowances, unsandboxable, resandboxable, sandboxable.

To detect if itself is sandboxed in our case, it checks if the frame element has an attribute sandbox.

// On below `frameEl` is the detected frame element

try {

  result.sandboxed = frameEl.hasAttribute(sandbox);

}

catch (sandboxErr) {

  result.sandboxed = null;

  if (typeof errback === function) {

    errback(sandboxErr);

  }

}

I tried to replicate your issue and to test if this solution works, I had to paste the script into the window itself due to the security issue.

<html>

    <head>

    </head>

    <body>



    <script>

        //Paste the contents of the script(https://raw.githubusercontent.com/JamesMGreene/sandblaster/master/dist/sandblaster.js) here



        var result = sandblaster.detect();

        if(result.sandboxed === true) {

            //sandboxed

        }

        debugger;

    </script>

    </body>

</html>

Here is a demo: http://jsfiddle.net/Starx/tzmn4088/ that shows this working.