Is cross domain request possible?

Question

In the following code when you press submit, the iframe is loaded with the url mentioned in the textbox. Is this not the violation of not allowing cross domain request ? I am using mozilla 14.0.

<!DOCTYPE html>
<head>
<script>
function myFunction()
{
document.getElementById("site").src=document.getElementById("web").value;
}
</script>
</head>
<body> 
<input id="web" type="text" name="user">
<input type="submit" value="Submit"  onclick="myFunction()"> <br/>
<iframe id="site" src="" width="1200" height="1200"></iframe>

</body>
</html>

Answer 1

No, it's not a violation, It's perfectly valid.

The same origin policy prevents access to methods and properties across pages on different domains. It also prevents modifying the included webpage. But does not prevent you from including it as a whole (and even interact with it in a limited way).

Basically, this policy prevents Website A to pose as User on Website B.

Example

Imagine youvisit into your bank account (bank.com). When you log in, the bank website generates a "user environment" for you, giving you access to restricted content. Also, it enables you to make modifications to your bank account through http requests (either form submission or an Ajax request).

The website trusts you because you've proved that you are who you say you are and you trust the website because you know that for all intents and purposes, no one but you can interact with your bank website while you're in that secured environment.

Now imagine you visit a malicious website on another tab (evilweb.com) that has an iframe with your bank website. Without this policy, evilweb.com could pose as YOU, gaining access to the restricted area, reading DOM information (bank account number, etc...) and even interact with it, clicking in the Transfer funds button and cleaning your bank account. That iframe could even be hidden.

However, nothing prevents evilweb.com from "downloading" the the public contents of bank.com, the same way nothing prevents me from accessing a public website even if I don't posses access credentials.

So... Posing as an user is different from making a request

So, basically, evilweb.com can make requests directly to bank.com, but it cannot piggyback on you and make requests on your behalf.

Answer 2

The JavaScript isn't doing anything with the external page so there is no cross domain issues. All you code does is tel the iframe to load a url.

Answer 3

No, it's okay to load the page. However, you will not be able to access the contents of the iframed cross-origin document.

Answer 4

No. There is no data being transferred between one domain and the other.

From a security perspective it is totally irrelevant if the URL you navigate the frame to comes from user input or from any other source.

If you tried to pull data from inside the iframe to the outside world or to manipulate the contents of the iframe, that would be a violation of the same-origin policy and it would fail.