stackoom
  简体   繁体   中英

Strange cross-domain issue with iframe

 原文  2015-01-29 13:57:03       javascript/ iframe/ cross-domain

Question

I am using the iframe below inside a different domain, however somehow the parent window is redirected both in Chrome and Firefox. Isn't this supposed to be blocked due to cross-domain policy?

I can block it by adding the sandbox="" attribute to the iframe , however I am still curious why this is possible. 

<html>
<body>
<iframe src="http://www.samplicio.us/router/default.aspx?SID=0db760c8-4858-4773-9e67-ca7e2cdb3cba&PID=7525e17a-a799-416c-bf84-4ea2e75ac332&AGE=24&GENDER=1&HISPANIC=1&ETHNICITY=1&STANDARD_HHI_US=3" />
</body>
</html>

1 answers

solution1
 1  2015-02-01 17:57:52

While same-origin policy does block access to Window properties from cross-domain frames, the location property is a special exception.

From the Cross-origin script API access section of the MDN article on same-origin policy.

JavaScript APIs such as iframe.contentWindow , window.parent , window.open and window.opener allow documents to directly reference each other. When the two documents do not have the same origin, these references provide very limited access to Window and Location objects, as described in the next two sections.


Cross-Origin Window:

MDN lists the following methods and attributes or the Window object are permitted cross-origin, in accordance with the specification .

Methods:

  • window.blur
  • window.close
  • window.focus
  • window.postMessage

Attributes:

  • window.closed (read-only)
  • window.frames (read-only)
  • window.length (read-only)
  • window.location (read/write)
  • window.opener (read-only)
  • window.parent (read-only)
  • window.self (read-only)
  • window.top (read-only)
  • window.window (read-only)


Cross-Origin Location:

Additionally, the following properties of the Location object are also permitted in accordance with the specification .

Methods:

  • location.replace

Attributes:

  • URLUtils.href (write-only)


In Summary:

As you can see above, window.location is read/write accessible across domains. Under same-origin policy, a frame is permitted to re-assign the location property of another frame. Use of the sandbox property would be the correct way to block such cross-origin frame access in modern browsers.

You might also be interested in reading the OWASP Clickjacking Defense Cheat Sheet page which has information on this technique of preventing a site from being framed, and some less-affective countermeasures that can be used in legacy browsers.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cross-Domain iframe communication cross-domain iframe resize js cross-domain to iframe customization cross-domain iFrame cross-domain iframe resizer? Resizing cross-domain iframe iframe cross-domain access javascript cross-domain issue Cross-domain issue with Jquery Communicate to window from iframe on cross-domain
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM