Parent token / network exfiltration attempts
Multi-angle attempts to extract JWT, in-flight network, or storage from the parent. See exactly what SOP blocks and what slips through.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | partial |
sandbox="allow-scripts" | partial |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/token-exfil?lang=en" title="XSS Playground - Parent token / network exfiltration attempts" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
실행
// 로그 없음
해설
- 막힘: parent.localStorage, parent.document.cookie, parent.document 접근, 부모 XHR/fetch 가로채기 — 모두 SOP 가 차단.
- 통과: document.referrer (부모 URL 노출), location.ancestorOrigins (부모 origin 노출), parent.postMessage 송신, 자기 origin 안에서 키/클릭/입력 수집.
- 위험 변수: 부모 서비스가 message 리스너에서 토큰을 돌려주는 핸들러를 두고 있다면, 인가되지 않은 호스트의 iframe 에도 토큰이 흘러갈 수 있음.
event.origin검증 필수.