This is a security concern though, in fact it's one of the reasons people use AdBlock or NoScript (so you can seletively choose which domains are allowed to run code in your browser). There are many reasons to include third-party scripts in a page - advertisement, analytics, interaction with social networks, etc. Update: I'd like to clarify the question a bit, based on the questions raised by commenters. The fact it's in an iframe, however, does not make it worse in any regard, or am I mistaken?Īre these assumptions correct, is there anything else I should be aware of? Some level of trust will be necessary from the part of users (the idea is that each user should be able to choose extensions at his own leisure, regardless of my site endorsing them or not, while ultimately bearing the consequences of his choices), but I'd like to do everything possible to mitigate those risks. They can embed flash or other plugins which may have security vulnerabilities.
Also, correct me if I'm mistaken - I'm assuming JavaScript in iframes has equal access to those resources, and no way for parent page to deny that.Clarifying: the issue here is the possibility of trying to impersonate the parent site, displaying a message asking for the password, for instance.
This is the worse problem I identified so far, and still unable to think of ways to prevent that.
They can spam Window.alert (or worse: Window.prompt), console.log or access other "global" stuff.They won't be able to clickjack the user, since if their iframes are invisible I'm also assuming they can't make them visible or resize them, since this would involve accessing the DOM of the parent page, is this correct?.This situation is no different from having two open tabs in the same browser, one of them authenticated with its respective site They might make GET requests on my server (including loading scripts from it), but as long as I use CSRF tokens where it matters I should be fine.They won't be able to access the DOM of the main page, or make arbitrary JavaScript calls on it, or make Ajax request on my domain, due to same-origin policy.Would this properly "sandbox" the code? I'm assuming that: The proposed solution is creating an invisible iframe for each third party extension, using only postMessage to communicate with them ( Edit: to be a proper "view" it must be visible, of course, but as an alternative it can merely have the role of "controller", delegating the render of visual components to the main page - could be used if it added any security benefits, but ideally no). The goal here is that only my model will make HTTP requests to my server, and the third party views shall only make API calls to my platform, nothing more (they may also "call home" if they want to, but they must not touch anything not explicitly exposed to them through the API). Inside your parent document: window.I'm trying to create an extensible platform, where my site will provide a model and some views (both client-side, in the browser) and third party sites may add their own views as well. But still you can post message to the parent, handle this message in parent and set this extra flag in iframe attributes with set attribute.įrom iframe : ("ChangeIframeAttributes", *) If this is the case you can not directly handle parent document because of cross origin policy. I am assuming that the page you are loading this iframe within and the content you are loading inside the iframe are on different domains (Interpreted from paymentprocess.aspx).
0 kommentar(er)
