Geek Answers Handbook

Understanding the security of third-party frames?

Facebook and others offer small frames that I can post on my site. Example:

<iframe src="http://www.facebook.com/widgets/like.php?href=http://example.com"
        scrolling="no" frameborder="0"
        style="border:none; width:450px; height:80px"></iframe>

What would I like to know if I inserted this code in my direction, could the code that they upload to my page be able to access the DOM of my page? I see some security considerations, if so.

Likewise, facebook allows me to put an iframe on my site, that's how facebook apps work. Can I then delete any data from any page containing my iframe?

Note. I used facebook as an example, but many companies do the same, so this quesiton has nothing to do with facebook in any way, so I don't put it as such.

Can a parent page also access the iframe DOM?

+5
source share
3 answers

In fact, there are special inheritance rules for iframes . This is separate from a policy of the same origin, and I highly recommend reading the entire Google Browser Sec reference.

+3
source

, DOM iframe. , , 508. iframe , iframes, iframe . jquery , , iframe ( ), mashup iframes .

, , jquery. ( , , .)

$('iframe').load(function() {
    var f = $(this).contents();
    f.find('#sysverb_back').remove();
    f.find('a.column_head').each(function(){
        $(this).attr('title', $(this).text());
    });         
    f.find('img[title]:not([alt])').each(function(){
        $(this).attr('alt',$(this).attr('title')); 
    }); 
    f.find('input').filter(function() {
        return this.id.match(/sys_readonly\..+|ni\..+/);
    }).each(function() {
        $(this).before('<label for="'+this.id+'" style="display:none;">'+this.id+'</label>');
    });

});

});

, iframe DOM.

+3

iFrame, , .

.

  • Clickjacking/XSS , iframe
  • iFrame (, iFrame )
  • iframe JS-, , .
  • iframe location.href(yikes, , 3- bankofamerica.com bankofamerica.fake.com).
  • 3p (java/flash/activeX) .

, html5 "sandbox" , , iFrame X-FRAME-OPTIONS.

0

More articles:


All Articles