Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do Google+ +1 widgets break out of their iframe?

Tags:

html

browser

security

iframe

google-plus-one

People also ask

Is an iframe a widget?

The IFrame widget is a special widget that can be used to embed a different application.

What is allow same origin in iframe?

The “Same Origin” policy states that: if we have a reference to another window, e.g. a popup created by window. open or a window inside <iframe> , and that window comes from the same origin, then we have full access to that window.

Can an iframe show only part of page?

Set the iframe to the appropriate width and height and set the scrolling attribute to "no". If the area you want is not in the top-left portion of the page, you can scroll the content to the appropriate area.

The Google +1 widget is JavaScript that runs on your website that is building an iframe. This JavaScript widget is running within the context of your website and therefore is not constrained by the Origin Inheritance Rules for iframes. Therefore this JavaScript widget can set whatever DOM events it wants on the parent site even though it appears to be just a simple iframe.

Another thing, why is Google using an iframe? Why not just generate a div on the page? Well because the link originates from the iframe, a CSRF (cross-site request forgery) token can be embedded in the request and the parent site cannot read this token and forge the request. So the iframe is an anti-CSRF measure that relies upon the Origin Inheritance rules to protect itself from a malicious parent.

From an attack perspective this is more like XSS (cross-site scripting) than UI-Redress. You are giving Google access to your website and they could hijack your users' cookie's or perform XmlHttpRequests against your website if they so choose (but then people would sue them for being malicious and wealthy).

In this situation you HAVE to trust Google, but Google doesn't trust you.

There are ways of mitigating the privacy impact of these web-bugs.


Google uses iFrames to prevent "leaky standard DIVs." Their closure library dialog does the same thing. It is probably just so that other content cannot bleed into the +1 button. http://closure-library.googlecode.com/svn/trunk/closure/goog/demos/dialog.html.

Related questions

How to make a whole 'div' clickable in html and css without JavaScript? [duplicate]
<!--[if !IE]> not working
Change Bootstrap tooltip color
Upload progress indicators for fetch?
CSS Pseudo-classes with inline styles
Size of font in CSS with slash
how to set cursor style to pointer for links without hrefs
Using $_POST to get select option value from HTML
How to resize an image to fit in the browser window?
Display text on MouseOver for image in html
Is there a way to make text unselectable on an HTML page? [duplicate]
How do I make a transparent canvas in html5?
Vue.js get selected option on @change
&nbsp jsx not working
Disabling android's chrome pull-down-to-refresh feature
Detect click outside Angular component
z-index not working with position absolute
Set active tab style with AngularJS
How to make the overflow CSS property work with hidden as value
Stacking Divs from Bottom to Top

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!