Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding 3rd party iframes security?

Facebook and others offer little iframe snipplets that I can put in my site. Example:

<iframe src="http://www.facebook.com/widgets/like.php?href=http://example.com"
        scrolling="no" frameborder="0"
        style="border:none; width:450px; height:80px"></iframe>

What I'd like to know is, if I put this code inside my side, could the code they load into my page access the DOM of my page? I see some security isssues if so.

Likewise facebook allows me to put an iframe into their site, this is how facebook applications work. Could I then mine any data off any page that contains my iframe?

Note I used facebook as an example here, but many companies do the same thing so this quesiton is not specific to facebook in any way so I am not tagging it as such.

Also can the parent page access the DOM of the iframe?

like image 891
Winforms Avatar asked Jul 25 '10 13:07

Winforms


People also ask

Are iFrames a security risk?

iframes are a great option to keep your users more engaged. But, when you use an iframe, you're handling content from a third-party source that you have no control over. As a result, iframes often pose security threats to the applications.

What are third-party iFrames?

Third-party embeds are typically loaded in <iframe> elements on the page. Third-party providers offer HTML snippets often consisting of an <iframe> that pulls in a page composed of markup, scripts, and stylesheets. Some providers also use a script snippet that dynamically injects an <iframe> to pull other content in.

Should you use iFrames in 2021?

It's 2021: Do not use iFrames for interactive content. They are old-school, outdated, and do you no SEO favors. In fact, if your site is currently using interactive tools built on iFrames, it's up to you to switch out those ASAP.


2 Answers

Actually there are specific rules of inheritance for iframes. This is apart of the same-origin policy, and I highly recommend reading the entire Google Browser Sec Handbook.

like image 132
rook Avatar answered Oct 04 '22 23:10

rook


I do know the parent page can access the DOM of the iframe. Recently we had a project at work where we had a site which needed to be 508 compliant. The iframe was not and although screen readers are handling iframes much better, the content within this iframe was not compliant. We loaded jquery library into our site, and then also loaded code into our site to manipulate the iframe (only after it loads) and at that point mashup the iframes content to be accessible.

To give you an idea of how we did it here is a sample of our jquery. (Used a lot of finds and replaces but you get the idea, you could do other things. )

$('iframe').load(function() {
    var f = $(this).contents();
    f.find('#sysverb_back').remove();
    f.find('a.column_head').each(function(){
        $(this).attr('title', $(this).text());
    });         
    f.find('img[title]:not([alt])').each(function(){
        $(this).attr('alt',$(this).attr('title')); 
    }); 
    f.find('input').filter(function() {
        return this.id.match(/sys_readonly\..+|ni\..+/);
    }).each(function() {
        $(this).before('<label for="'+this.id+'" style="display:none;">'+this.id+'</label>');
    });

});

});

Although I do not know if you can from the iframe access the parent DOM.

like image 40
Chris Avatar answered Oct 04 '22 22:10

Chris