# Iframes in XSS, CSP and SOP
Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
## Iframes in XSS
There are 3 ways to indicate the content of an iframed page:
* Via `src` indicating an URL (the URL may be cross origin or same origin)
* Via `src` indicating the content using the `data:` protocol
* Via `srcdoc` indicating the content
**Accesing Parent & Child vars**
```html
```
```html
```
**If you access the previous html via a http server (like `python3 -m http.server`) you will notice that all the scripts will be executed (as there is no CSP preventing it).**, **the parent won’t be able to access the `secret` var inside any iframe** and **only the iframes if2 & if3 (which are considered to be same-site) can access the secret** in the original window.\
Note how if4 is considered to have `null` origin.
### Iframes with CSP
{% hint style="info" %}
Please, note how in the following bypasses the response to the iframed page doesn't contain any CSP header that prevents JS execution.
{% endhint %}
The `self` value of `script-src` won’t allow the execution of the JS code using the `data:` protocol or the `srcdoc` attribute.\
However, even the `none` value of the CSP will allow the execution of the iframes that put a URL (complete or just the path) in the `src` attribute.\
Therefore it’s possible to bypass the CSP of a page with:
```html
```
**ghItlhvam** **CSP** **vItlhutlh** **inline script** **execution** **choH**.\
**`if1`** **`if2`** **scripts** **execution** **choH** **`if1`** **parent secret** **access** **loS**.
 (1) (1).png>)
**CSP** **bypass** **possible** **JS file** **server** **upload** **load** **iframe** **`script-src 'none'`** **ghItlhvam**. **potentially** **abusing** **same-site JSONP endpoint** **ghItlhvam**.
**cookie** **stolen** **scenario** **test** **possible** **`script-src 'none'`** **loS**. **application** **run** **access** **browser** **ghItlh**:
```plaintext
```
```python
import flask
from flask import Flask
app = Flask(__name__)
@app.route("/")
def index():
resp = flask.Response('')
resp.headers['Content-Security-Policy'] = "script-src 'self'"
resp.headers['Set-Cookie'] = 'secret=THISISMYSECRET'
return resp
@app.route("/cookie_s.html")
def cookie_s():
return ""
if __name__ == "__main__":
app.run()
```
### Qa'leghvam vItlhutlh
```html
```
### Iframe sandbox
Iframe vItlhutlh
Iframe vItlhutlh vItlhutlh `sandbox` attribute vItlhutlh. vItlhutlh, vItlhutlh attribute vItlhutlh, vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
vItlhutlh, `sandbox` attribute vItlhutlh vItlhutlh vItlhutlh:
- vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
- vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
- vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
- vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
- vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
- `