Use XSS vulnerability in iframe to compromise parent?

Iframes have a special tag called "sandbox" that sets how to treat the content of the iframe. Using that tag, you can granularly set permissions to allow an iframe to interact with the parent. Normally iframes are pretty restrictive as to how they can affect a parent when loaded from a different domain, but if you see things like: allow-same-origin, allow-scripts, allow-top-navigation, etc then there may be case specific ways to exploit it.

[edit] Most cases of iframe XSS attacks do not actually involve injecting arbitrary code into the parent website. Instead they are typically one of the following:

  1. You take control of the child website, and replace it with something like a fake login form to make people think that they are loging into the parent website to access the content, when you are really phishing their credentials.
  2. You distribute a "useful" service that other programmers embed in their sites that you actually use to phish private information. Then you pray on people's trust of these other websites to get them to give you something useful. For example: a tax bracket calculator that asks for your name, address, and SSN.
  3. Instead of, you make an evil twin website called that contains inside of an iframe so that it behaves just like the real site, but your version of the website is collecting the end user's private information.

So, the most likely way for you to be able to exploit this scenario would be if you could replace the form with something that looks like a login form for and post not to, but to something that you actually control to steal user credentials.