diff --git a/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md b/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
index c53d8724..2febd604 100644
--- a/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
+++ b/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
@@ -1,5 +1,7 @@
# Iframes in XSS, CSP and SOP
+## Iframes in XSS, CSP and SOP
+
Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Iframes in XSS
+## Iframes in XSS
There are 3 ways to indicate the content of an iframed page:
@@ -61,7 +62,7 @@ alert(parent.secret)
If you access the previous html via a http server (like `python3 -m http.server`) you will notice that all the scripts will be executed (as there is no CSP preventing it)., **the parent won’t be able to access the `secret` var inside any iframe** and **only the iframes if2 & if3 (which are considered to be same-site) can access the secret** in the original window.\
Note how if4 is considered to have `null` origin.
-## Iframes with CSP
+### Iframes with CSP
{% hint style="info" %}
Please, note how in the following bypasses the response to the iframed page doesn't contain any CSP header that prevents JS execution.
@@ -115,7 +116,7 @@ if __name__ == "__main__":
app.run()
```
-## Other Payloads found on the wild
+### Other Payloads found on the wild
```html
@@ -126,7 +127,7 @@ if __name__ == "__main__":
```
-## Iframe sandbox
+### Iframe sandbox
The `sandbox` attribute enables an extra set of restrictions for the content in the iframe. **By default, no restriction is applied.**
@@ -147,9 +148,9 @@ The value of the `sandbox` attribute can either be empty (then all restrictions
```
-# Iframes in SOP
+## Iframes in SOP
-In this [**challenge**](https://github.com/terjanq/same-origin-xss) created by [**NDevTK**](https://github.com/NDevTK) and [**Terjanq**](https://github.com/terjanq) **** you need you need to exploit a XSS in the coded
+In this [**challenge**](https://github.com/terjanq/same-origin-xss) created by [**NDevTK**](https://github.com/NDevTK) and [**Terjanq**](https://github.com/terjanq) you need you need to exploit a XSS in the coded
```javascript
const identifier = '4a600cd2d4f9aa1cfb5aa786';
@@ -164,19 +165,19 @@ onmessage = e => {
The main problem is that the [**main page**](https://so-xss.terjanq.me) uses DomPurify to send the `data.body`, so in order to send your own html data to that code you need to **bypass** `e.origin !== window.origin`.
-## SOP bypass 1
+### SOP bypass 1
-When `//example.org` is embeded into a **sandboxed iframe**, then the page's **origin** will be **`null`**, i.e. `window.origin === 'null'`. So just by embedding the iframe via `