Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What exactly can an IFrame do with the top.Location object (cross-domain)?

Tags:

There is a very particular edge case in cross-domain policies regarding the window.top.Location object...

Let's say I have IFrame A , in domain www.bbb.com, living inside a page in domain www.aaa.com.

The page inside the IFrame can:

  • Compare window.top.location to window.location (to detect whether it's being framed)
  • Call window.top.location.replace(window.location) to redirect to self
  • Call window.top.location.replace("any arbitrary string") to redirect somewhere else

But it cannot:

  • Alert, Document.Write, or do any kind of output of window.top.location.href
  • Concatenate it in any other variable, or use it in any useful way
  • Call window.top.location.reload()

These are just the ones I could quickly find. I'm sure there are other edge cases.
It seems like the browser is not allowing the use of the top.location object if the top is in another domain, except for a few whitelisted things...

Is this documented anywhere?
Can I find what these whitelisted things are?
Is this in the HTML standard, and implemented equally in all browsers? Or is the implementation of this semi-random?

like image 396
Daniel Magliola Avatar asked Jul 11 '09 15:07

Daniel Magliola


People also ask

What is a cross domain iframe?

A cross domain inline frame (iframe) is a type of web technology that can be used to embed a small portion of one website within a larger "parent" page hosted on a different domain.

How do I find if a click event on a cross domain iframe?

you can always detect the click on a div using the onclick event without caring what is inside the div . but you can check if the div innerHTML to see if the ad is loaded or it's empty and if the ad was loaded then run your script.

Does iframe has its own window?

An <iframe> tag hosts a separate embedded window, with its own separate document and window objects. We can access them using properties: iframe.

What does allow same origin do?

The same-origin policy generally controls the access that JavaScript code has to content that is loaded cross-domain. Cross-origin loading of page resources is generally permitted. For example, the SOP allows embedding of images via the <img> tag, media via the <video> tag and JavaScript includes with the <script> tag.


2 Answers

This is exactly specified by the HTML5 standard in section 5.5.3.1.

like image 70
molnarg Avatar answered Oct 20 '22 13:10

molnarg


The security rules does differ with the version of browser. Generally newer versions have stricter rules, but also more fine tuned.

I suspect that older browsers would freely let you access the location object of the top frame, a little newer browsers would deny it totally, and the current versions let you compare location objects but not read from them.

You might be able find documentation about this, but it would be specific for each browser and specific for each version of the browser. As far as I know, there is no real standard for this. Each browser vendor tries to protect the user as much as possible, while still keeping some usability for the web site builder. Generally you can't really assume that anything close to the border works in all browsers, or that it will continue to work in future versions.

like image 41
Guffa Avatar answered Oct 20 '22 15:10

Guffa