All geek questions in one place

Creating the same iframe Secure domain

tl; dr Is it possible to safely execute untrusted scripts in an iframe?

Background History:

I am trying to make secure JSONP requests . Many older browsers do not support web workers, which means that the current solution I came up with is not optimal.

I decided that I could create an <iframe> and load the script inside it. This script would execute a JSONP request (by creating a script tag) that posted the message on the main page. On the main page, you will get a message, call back and destroy the iframe. I managed to do such things .

 function jsonp(url, data, callback) { var iframe = document.createElement("iframe"); iframe.style.display = "none"; document.body.appendChild(iframe); var iframedoc = iframe.contentDocument || iframe.contentWindow.document; sc = document.createElement("script"); sc.textContent = "(function(p){ cb = function(result){p.postMessage(result,'http://fiddle.jshell.net');};})(parent);"; //sc.textContent += "alert(cb)"; iframedoc.body.appendChild(sc); var jr = document.createElement("script"); var getParams = ""; // serialize the GET parameters for (var i in data) { getParams += "&" + i + "=" + data[i]; } jr.src = url + "?callback=cb" + getParams; iframedoc.body.appendChild(jr); window.onmessage = function (e) { callback(e.data); document.body.removeChild(iframe); } } jsonp("http://jsfiddle.net/echo/jsonp/", { foo: "bar" }, function (result) { alert("Result: " + JSON.stringify(result)); });

The problem is that since the frames are in the same domain, the injected script still has access to the external area via .top or .parent and the like.

Is there a way to create an iframe that cannot access data in the parent scope?

I want to create an iframe where scripts added through script tags cannot access the variables in the parent window (and the DOM). I tried things like top=parent=null , but I'm really not sure if this is enough, there may be other workarounds. I tried to run for ... in loop, but my function stopped working, and I could not figure out why.

NOTE.

I know optimally. WebWorkers is the best sandbox. I know that JSONP is a “bad” technique (I even had some random guy to say that he would never use it today). I am trying to create a safe scripting environment where you must execute JSONP requests.

+6
source share
2 answers

You really cannot delete links by setting zero, it will just fail, and there is always a way to get a link to the parent dom.

Links like frameElement and frameElement.defaultView etc. cannot be deleted. An attempt to do this is either silent or throws an exception depending on the browser.

You can watch Caja / Cajita , though.

+1
source

tl; dr no

Any untrustworthy script can steal cookies (for example, session ID!) Or read information from the DOM, like the value of a credit card input field.

JavaScript relies on a security model that all code is trusted code. Any access attempts from another domain require an explicit whitelist.

If you want to isolate your iframe, you can serve the page from another domain. This means that you cannot share the session or make any message because it can be abused. This is exactly the same as an unrelated website. Even then, there is scope for abuse if you allow untrusted JavaScript. For example, you can: window.top.location.href = 'http://my.phishing.domain/'; , the user may not notice the redirection.

+1
source

Source: https://habr.com/ru/post/945529/

More articles:


All Articles