All geek questions in one place

Security implications for setting document.domain in iframed content

I have two content and www subdomains in the example.com domain. Content from content.example.com is presented at www.example.com via an iframe.

Since content on content.example.com requires contacting www.example.com , I set document.domain="example.com" and also set allow-scripts and allow-same-origin in the iframe.

I am concerned that if users can upload content that will be displayed in the iframe, it may be used, i.e. Send cookie content to a remote domain to seize a session or other security vulnerabilities.

I set up another domain www.example2.com and put the AJAX request in iframed content in content.example.com to test my theory and send document.cookie to the remote domain. This causes the _ga cookie to _ga sent to the remote domain. I enabled header('Access-Control-Allow-Origin: *') in the remote domain, so it does not cause any problems.

Why are only _ga cookies sent? I have several other cookies in the same domain and path as the _ga cookies, but they are not sent. Are there any other security risks? Ideally, I would like it to be possible only for the connection between content.example.com and www.example.com , and it looks like it basically does this, with the exception of the Google Analytics cookie, which would mean that others can do this to do too.

+5
source share
1 answer

You can use JSONP to exchange different domains, regardless of settings and cross-domain access policies.

However, JSONP requires the server side to create a callback function with the returned data as a parameter.

I would suggest downloading simple Javascript content from a server that has the same cross-domain independence and security as a JSON request.

Say you have a Javascript file, data.js , in content.example.com or a service that returns the same content as the file in the response, with a JSON object with a variable prefix:

 result = { "string1": "text1", "object1": { "string2": "text2", "number1": 5.6 }, "number2": 7, "array1": ["text3", "text4"] }

Then on your web page at www.example.com you can have a script with a loadJS function that loads the server response as a script:

 var loadJS = function (url, callback) { var script = document.createElement('script'); script.type = "text/javascript"; script.src = url; script.onload = function (ev) { callback(window.result); delete window.result; this.parentNode.removeChild(this); }; document.body.appendChild(script); }; window.onload = function () { loadJS('http://content.example.com/data.js', function (data) { console.log(data); }); };

You can use this function in content.example.com for queries in the opposite direction.

To set cookies or perform any other functions available in JS, the response from script, data.js may contain a function, not a JSON object:

 result = (function () { document.cookie = "cookie1=Value1; cookie2=Value2;"; return true; })();
0
source

Source: https://habr.com/ru/post/1268148/

More articles:


All Articles