Menu
I want the user to be able to submit and render untrusted HTML within an application on say domain example1.com. In order to prevent malicious XSS from capturing the user's cookies the idea was to open the HTML in an iframe that uses a different domain, let's say example2.com. But in order to see this HTML the user has to be logged in on example1.com. How do I only render the HTML in the iframe on example2.com only if the user is logged in and authenticated on example1.com?
I was thinking maybe using a secret passed via postMessage that posts a form to render the HTML without ever setting a cookie. Anytime I wanted to update the iframe's content via JavaScript I simply recreate the iframe and then pass in the secret again and post the form again to render the untrusted HTML. Malicious JavaScript would not have access to the secret as that existed only on the previous page that posted the form. Would that be a good solution or is there something better?
867
Everytime that a user logged in example1.com you create a token for it.
To call your iframe content use something like example2.com/view.php?page=1&token=dsjahdjkhjh331
So the malicious script only could get the token, not the cookie. And if you create a "fingerprint" to the token, like concat the user with request address(IP) + browser agent, stealing the token is the same like stealing a random string.
84
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
