Menu
The IFrame widget is a special widget that can be used to embed a different application.
The “Same Origin” policy states that: if we have a reference to another window, e.g. a popup created by window. open or a window inside <iframe> , and that window comes from the same origin, then we have full access to that window.
Set the iframe to the appropriate width and height and set the scrolling attribute to "no". If the area you want is not in the top-left portion of the page, you can scroll the content to the appropriate area.
The Google +1 widget is JavaScript that runs on your website that is building an iframe. This JavaScript widget is running within the context of your website and therefore is not constrained by the Origin Inheritance Rules for iframes. Therefore this JavaScript widget can set whatever DOM events it wants on the parent site even though it appears to be just a simple iframe.
Another thing, why is Google using an iframe? Why not just generate a div on the page? Well because the link originates from the iframe, a CSRF (cross-site request forgery) token can be embedded in the request and the parent site cannot read this token and forge the request. So the iframe is an anti-CSRF measure that relies upon the Origin Inheritance rules to protect itself from a malicious parent.
From an attack perspective this is more like XSS (cross-site scripting) than UI-Redress. You are giving Google access to your website and they could hijack your users' cookie's or perform XmlHttpRequests against your website if they so choose (but then people would sue them for being malicious and wealthy).
In this situation you HAVE to trust Google, but Google doesn't trust you.
There are ways of mitigating the privacy impact of these web-bugs.
Google uses iFrames to prevent "leaky standard DIVs." Their closure library dialog does the same thing. It is probably just so that other content cannot bleed into the +1 button. http://closure-library.googlecode.com/svn/trunk/closure/goog/demos/dialog.html.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With