Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sandboxing, IFrame, and allow-same-origin

Tags:

I have been reading about the HTML5 additions to the <iframe> tag. One of the additions is the inclusion of sandboxing flags that allow the document loaded into the iframe to interact with its parent browser context.

After reading some of the documentation, I am looking for a bit of clarity. I have read MDN's description of the allow-same-origin flag:

Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

Not hugely, helpful, I think, after having read W3C's specification:

...[I]t can be used to embed content from a third-party site, sandboxed to prevent that site from opening pop-up windows, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.

My question is specifically about what MDN refers to as the "normal origin" in light of W3C's specification: when refering to the "normal origin" is MDN stating that the content of document contained within the <iframe> tag is treated as if it shares the origin of the page from which the document originates, e.g. a YouTube video believes - and can communicate as if - it is still apart of YouTube? Or, does the <iframe> document have access to the parent browser context?

like image 933
Thomas Avatar asked Jul 02 '15 12:07

Thomas


People also ask

How can we allow the sandboxed iframe to run scripts from the same domain?

Correct Option: A. Scripts are re-enabled by allow-scripts. The sandbox attribute enables an extra set of restrictions for the content in the iframe. Allow-forms re-enables from submission.

Is iframe sandbox secure?

Now, these are things that have a great security risk, so to make things more secure for the users, W3C added the 'Sandbox' attribute in the HTML specifications. This attribute limits the action from an iframe within a web page and makes it quite secure and protected.

What is the iframe sandbox attribute?

What is sandbox attribute? Sandbox attribute allows restricting access to the iFrame content and what iFrame contents is allowed to access website content. When the sandbox attribute is added to the iFrame tag, by default it will: Treat the content as being from a unique origin.

Why you should sandbox iframe content from your own?

Applying the sandbox attribute to iframes you include allows you to grant certain privileges to the content they display, only those privileges which are necessary for the content to function correctly.


1 Answers

You can't access the document between an iFrame and the Parent window (from different domains). To communicate between frames in you'd need to use postMessage.

Using the allow-same-origin allows you to use, for example, cookies that are in the iFrame.

Here's a good reading to understand better iFrames' sandbox: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

like image 144
LFC Avatar answered Sep 28 '22 07:09

LFC