Parent token / network theft attempts
Probe the boundary around parent JWTs, storage, and in-flight network requests from inside an iframe.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | partial |
sandbox="allow-scripts" | partial |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/token-exfil?lang=en" title="XSS Playground - Parent token / network theft attempts" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- Blocked: parent.localStorage, parent.document.cookie, parent.document access, and intercepting parent XHR/fetch should all be blocked by SOP.
- Allowed: document.referrer, location.ancestorOrigins, sending parent.postMessage, and collecting input inside the iframe's own origin may still work.
- Risk variable: if the parent service returns tokens from a message listener, unauthorized iframes can receive them.
event.originvalidation is required.