In what ways can inserting an iframe tag containing potentially untrusted content into HTML markup be dangerous?

In this 2003 blog post, Mark Pilgrim suggests that iframe tags are dangerous, and should be stripped as a component of HTML sanitization:

http://div开发者_Go百科eintomark.org/archives/2003/06/12/how_to_consume_rss_safely

In what ways can an iframe tag containing untrusted content be dangerous?

The potential attack scope is pretty broad and the only saving grace is what you eluded to in your comment regarding the DOM disallowing script form one domain directly interacting with that from another (i.e. iframe accessing cookies from the arent page). However, there's no guarantee that the "untrusted" contents of the iframe won't contain any number of vulnerabilities itself, including XSS which could rewrite the contents of the frame.

Then of course there are various levels of browser manipulation the iframe can perform such as redirecting the page which then makes you vulnerable to attacks like tabnapping. Or the iframe could simply serve up a nice little malware package.

The problem with having an iframe with an untrusted site is that to the end user, it's very well integrated and for all intents and purposes, it's part of your site. Beyond the security risks outlined above, you will be perceived to be responsible for the contents and given it's untrusted, you have no assurance as to whether that content is objectionable or not.

In short, you want to be pretty confident in the integrity of the page you're loading into that frame (i.e. Twitter or Facebook button). I certainly wouldn't be allowing an arbitrary, user defined page to be loaded into a publicly facing site.