This is why I think per-site security settings in the browser are a good thing. Regardless of whether it's in an iframe or not, if I haven't allowed some site to run scripts/use cookies/etc., it won't.
Opera (before they switched to WebKit/Blink) has per-site settings. IE has security zones (not per-site, but only a trusted/untrusted grouping.) Firefox can do it with extensions like NoScript, and I'm not familiar enough with Chrome or anything WebKit/Blink-based to know whether it can be done.
Would it be possible to constantly scan the DOM for new iframes and add the attribute with JS? Seems like there might be a small window of opportunity though for bad things to happen, if it would even work.
Assuming you're talking about `sandbox`, I'd be wary about that.
If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.
If you apply the sandbox attribute to the iframes it should be ok. It allows fine grained control of what the iframe is allowed to do. Scripts, navigation, popups, etc. are forbidden except explicitly allowed.
If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.
Good point. But the sandbox attribute is around 90% [1] of browsers. The number of browsers which don't support it and don't run javascript may be too low to make supporting them practical, but YMMV.
Userify just removed all third party inclusions except CDN from the app itself. I wish more companies would do this.
What's the point of strong TLS if you're potentially leaking every click and keystroke to a third party?
Use Privacy Badger where you can: https://www.eff.org/privacybadger