Iframe Sandbox Breakout Test Suite
I needed a plain, single-file test page to probe iframe sandbox behavior without dragging our whole dashboard along for the ride. So I built the Iframe Sandbox Breakout Test Suite. It is self-contained, easy to drop into any environment, and focused on common browser escape and abuse paths.
Run the page standalone, then load it inside an iframe (with and without a sandbox attribute), and compare the results log. Every test reports attempted/success/blocked/error so you can see exactly which capabilities are available.
Navigation Escape Attempts
These tests check whether an embedded page can navigate outside its frame. That is the classic breakout vector: forcing the top-level page to navigate to a phishing site, or replacing the current URL to hide what is really loaded.
- Anchor targets:
_top,_parent,_self,_blank. - Scripted redirects using
top.location,parent.location, andlocation. - History API changes with
pushStateandreplaceStatefor URL spoofing.
If the sandbox is configured correctly, top/parent navigation should be blocked, and history changes should not let a framed page impersonate the host page.
Window Creation and Popups
Popup creation can bypass sandbox expectations or enable reverse tabnabbing. The suite calls window.open with standard targets and then with noopener/noreferrer flags.
Why it matters: if the new window has an opener reference, a hostile page can redirect the original tab to a login prompt or malware page. A tight sandbox should either block popups or ensure the new window cannot control its opener.
Form Submission
Forms can be auto-submitted to navigate the top frame or to exfiltrate data. The suite includes POST submissions targeted at _top, _parent, and _self with a dummy payload.
Real-world abuse: a hidden iframe auto-submits a form that navigates the parent to a fake login page, or submits data to a third-party endpoint. A locked sandbox should prevent cross-frame form navigation.
Storage and Origin Access
This section checks whether the iframe can read/write cookies, use localStorage and sessionStorage, and open indexedDB.
Storage is a persistence layer. If a framed page can access the host origin or reuse storage across sites, it can track users, steal session data, or plant state for later abuse. In many sandbox setups, the frame gets an opaque origin and storage calls should fail with a security exception.
JavaScript Capabilities
Sandboxing and CSP can restrict script execution. The suite checks inline scripts, a data URL script tag, eval, and the Function constructor. It also calls alert, confirm, and prompt.
Why it matters: blocking dynamic code execution reduces XSS impact, and blocking modal dialogs limits UI abuse (e.g., repeated prompts to force user interaction). A strict policy should surface clear failures here.
Top-Frame Access
The suite detects whether top !== window, tries to read top.location.href, and sends a postMessage to the top frame.
Direct reads of top.location should throw a security error across origins. postMessage is allowed, but the host page must validate origin and source to avoid message spoofing.
Pointer, Focus, and Downloads
These tests cover window.focus, pointer lock, and a[download]. Each one can change user focus or trigger a download without obvious intent.
Abuse cases include focus stealing to capture keystrokes, pointer lock to trap cursor movement, and drive-by downloads. A strict sandbox should require a user gesture and may block the API entirely.
Clipboard and Fullscreen
Clipboard read/write and fullscreen requests are both sensitive. A hostile iframe could read secrets or replace clipboard contents with a malicious command. Fullscreen can be used for UI spoofing. The suite checks navigator.clipboard and requestFullscreen and logs whether the browser allows them.
Permissions and Device APIs
Geolocation, Notifications, and MediaDevices are permission-gated APIs. The suite calls each one and logs whether the browser prompts, blocks, or grants. In iframes, these often require both a user gesture and explicit allow attributes on the iframe.
These are high-value permissions: location data, persistent notification prompts, and microphone access are all common abuse targets.
CSP and Sandbox Introspection
The page shows document.referrer, document.domain, document.origin, and the iframe sandbox attribute if present. This helps confirm whether the frame is treated as an opaque origin and whether you are actually running under the restrictions you think you are.