Iframe Sandboxing
The
sandbox=""
attribute should always be added to iframes with untrusted or third-party sources. The attribute enables different types of iframe content restrictions like script or form execution. <iframe allowfullscreen="" frameborder="0" height="375" src="https://www.youtube.com/embed/lzO4xPmWKmw" width="660"></iframe>
[http://www.stmartincentre.org.za/]<iframe allowfullscreen="" frameborder="0" height="450" src="https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d28624.301555517504!2d28.43302!3d-26.26044!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x1e95244ebd5e4691%3A0x265486dcc65c5a79!2s46+Derby+Ave%2C+Springs%2C+1560%2C+South+Africa!5e0!3m2!1sen!2sus!4v1472182015902" style="border:0" width="600"></iframe>
[http://www.stmartincentre.org.za/]<iframe allowfullscreen="" class="giphy-embed" frameborder="0" height="300" src="//giphy.com/embed/11S1Zy5SPIqv84" width="220"></iframe>
[http://www.stmartincentre.org.za/]
Unsafe Resource
If a resource is loaded over
src="http://..."
, it may not be transmitted over the TLS protocol. In case the webpage is loaded over HTTPS, this results in a mixed content situation where the page is securely loaded but has unencrypted resources embedded. This will often lead to a mixed-content browser warning, but at the time this is reported, it is most likely to late and the attack could have already succeeded. <script async="async" src="http://www.stmartincentre.org.za/media/com_acymailing/js/acymailing_module.js?v=5104" type="text/javascript"></script>
[http://www.stmartincentre.org.za/]<link href="http://www.stmartincentre.org.za/media/com_acymailing/css/module_default.css?v=1536980253" rel="stylesheet" type="text/css"></link>
[http://www.stmartincentre.org.za/]<img border="0" height="250" src="http://www.ibreviary.org/images/banners/ibreviaryweb_en.png" width="300"></img>
[http://www.stmartincentre.org.za/]
Crossorigin
The
crossorigin="anonymous"
attribute should always be added to external ressources so no user credentials are transmitted. By loading external files with a GET request, http user credentials are exchanged by default. If the source host is corrupted, an attacker could these details for attacks. <img border="0" height="250" src="http://www.ibreviary.org/images/banners/ibreviaryweb_en.png" width="300"></img>
[http://www.stmartincentre.org.za/]
Integrity
The
integrity="sha256-..."
attribute should always be added to external file hosted on another domain, because an unexpected manipulation / corruption of the code can lead to session hijacking or similar script releated attacks. <img border="0" height="250" src="http://www.ibreviary.org/images/banners/ibreviaryweb_en.png" width="300"></img>
[http://www.stmartincentre.org.za/]
Link Referrer
The
rel="noreferrer"
attribute should always be added to external links to prevent reverse tabnabbing for older browser, which do not support the rel="noopener"
attribute and to prevent phishing attacks. <a href="http://www.zaop.org/" rel="noopener" target="_blank"><img alt="dominicanseal" height="200" src="/images/stories/dominicanseal.jpg" style="display: block; margin-left: auto; margin-right: auto;" width="200"></img></a>
[http://www.stmartincentre.org.za/]<a href="http://giphy.com/gifs/trippy-dope-11S1Zy5SPIqv84"></a>
[http://www.stmartincentre.org.za/]<a href="http://sacatholiconline.org/"><img alt="sacatholic ad" height="442" src="/images/stories/sacatholic_ad.jpg" style="display: block; margin-left: auto; margin-right: auto;" width="200"></img></a>
[http://www.stmartincentre.org.za/]<a href="http://www.radioveritas.co.za" target="_blank"><img alt="veritas" height="155" src="/images/stories/veritas.png" style="display: block; margin: 5px auto;" width="180"></img></a>
[http://www.stmartincentre.org.za/]<a href="http://www.sacatholiconline.org/" rel="noopener" style="color: #0000ff;" target="_blank">SA Catholic Online - for all your website and publishing needs!</a>
[http://www.stmartincentre.org.za/]<a href="https://www.joomlashine.com" rel="nofollow" target="_blank" title="JoomlaShine is the best Joomla templates & extension provider">JoomlaShine.com</a>
[http://www.stmartincentre.org.za/]
Link Opener
The
rel="noopener"
attribute should always be added to external links, which open in a new tab, to reduce the risk of reverse tabnabbing. Otherwise javascript on the new page has full control over the previous visited page, including permission to change the DOM object and possibly steal session cookies. <a href="http://www.radioveritas.co.za" target="_blank"><img alt="veritas" height="155" src="/images/stories/veritas.png" style="display: block; margin: 5px auto;" width="180"></img></a>
[http://www.stmartincentre.org.za/]<a href="https://www.joomlashine.com" rel="nofollow" target="_blank" title="JoomlaShine is the best Joomla templates & extension provider">JoomlaShine.com</a>
[http://www.stmartincentre.org.za/]