Iframe Sandbox Trick

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://phor3nsic.github.io/2026/01/21/trick-iframe-sandbox.html
• Blog Title: Iframe Sandbox Trick
• Suggested Section: Pentesting Web -> Clickjacking (UI Redress) / Iframe-related tricks (add note: sandboxed iframe can still trigger HTTP Basic Auth modal via 401+WWW-Authenticate even without allow-popups)

🎯 Content Summary

The post documents a practical browser/UI-security trick: a sandboxed iframe that does not include allow-popups can still cause the browser to display an HTTP Basic Authentication credential prompt (a modal dialog), as long as the iframe sandbox includes allow-scripts.

1) Setup / requirements
The minimal scenario is a sandboxed iframe where scripts are allowed but popups are not:

<iframe sandbox="allow-scripts&quo...

🔧 Technical Details
If you can control navigation of a sandboxed iframe that allows scripts but disallows popups (<iframe sandbox="allow-scripts"> without allow-popups), you can still trigger a browser-controlled modal by loading an HTTP Basic Auth endpoint that returns 401 Unauthorized plus a WWW-Authenticate header (e.g., https://httpbin.org/basic-auth/user/pass). Because the prompt is generated by the browser’s authentication/network stack rather than JavaScript dialog APIs (alert()/prompt()/confirm()), it can appear despite sandbox UI/popup expectations, enabling UI redress/phishing patterns (especially when combined with clickjacking/deceptive framing).
🤖 Agent Actions
Summary:

Added a new clickjacking variant describing how sandboxed iframes (with only allow-scripts) can still trigger HTTP Basic Auth modals via 401 + WWW-Authenticate, including PoC steps and phishing/redress implications.
Updated references to include the sandboxed iframe Basic Auth research and related Chromium/ChromeStatus discussions.

Tests:

Not run (documentation-only changes).


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://phor3nsic.github.io/2026/01/21/trick-iframe-sandbox.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Clickjacking (UI Redress) / Iframe-related tricks (add note: sandboxed iframe can still trigger HTTP Basic Auth modal via 401+WWW-Authenticate even without allow-popups)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge