Are cross-domain iframes secure?

[mpeterdev]

With discussions around leveraging cross-domain iframes for security purposes gaining steam, let's collect information on whether those claims of security are reliable.

Please post any concerns or supporting docs/articles here

[mpeterdev]

A possible attack vector, courtesy of @ MaximusHaximus:
https://owasp.org/www-community/attacks/Cross_Frame_Scripting

[mpeterdev]

Per OWASP's Third Party Javascript Management cheatsheet:

Virtual iframe Containment (link)

This technique creates iFrames that run asynchronously in relation to the main page. It also provides its own containment JavaScript that automates the dynamic implementation of the protected iFrames based on the marketing tag requirements.

I could not find a clear answer on what a "virtual iframe" is. It might be an iframe that is visually hidden similar to the solution Stripe uses

UI extensions run in an invisible, sandboxed iframe that asynchronously sends UI updates to the Stripe Dashboard, which then displays the UI updates. A single sandbox can accommodate multiple views at the same time.
https://stripe.com/docs/stripe-apps/how-ui-extensions-work

[evgenykuzyakov]

We need to check security docs from the iframes with the sandbox attribute. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox and see if there are still issues.

And then consider if VM allows similar options already (like spamming fetch requests).