CODEWITHSUNDEEP
javascriptiframecross-domain
zaoudis
zaoudis

Reputation: 120

Strange cross-domain issue with iframe

I am using the iframe below inside a different domain, however somehow the parent window is redirected both in Chrome and Firefox. Isn't this supposed to be blocked due to cross-domain policy?

I can block it by adding the sandbox="" attribute to the iframe, however I am still curious why this is possible.

<html>
<body>
<iframe src="http://www.samplicio.us/router/default.aspx?SID=0db760c8-4858-4773-9e67-ca7e2cdb3cba&PID=7525e17a-a799-416c-bf84-4ea2e75ac332&AGE=24&GENDER=1&HISPANIC=1&ETHNICITY=1&STANDARD_HHI_US=3" />
</body>
</html>

Upvotes: 0

Views: 1229

Answers (1)

Alexander O&#39;Mara
Alexander O&#39;Mara

Reputation: 60507

While same-origin policy does block access to Window properties from cross-domain frames, the location property is a special exception.

From the Cross-origin script API access section of the MDN article on same-origin policy.

JavaScript APIs such as iframe.contentWindow, window.parent, window.open and window.opener allow documents to directly reference each other. When the two documents do not have the same origin, these references provide very limited access to Window and Location objects, as described in the next two sections.


Cross-Origin Window:

MDN lists the following methods and attributes or the Window object are permitted cross-origin, in accordance with the specification.

Methods:

  • window.blur
  • window.close
  • window.focus
  • window.postMessage

Attributes:

  • window.closed (read-only)
  • window.frames (read-only)
  • window.length (read-only)
  • window.location (read/write)
  • window.opener (read-only)
  • window.parent (read-only)
  • window.self (read-only)
  • window.top (read-only)
  • window.window (read-only)

Cross-Origin Location:

Additionally, the following properties of the Location object are also permitted in accordance with the specification.

Methods:

  • location.replace

Attributes:

  • URLUtils.href (write-only)

In Summary:

As you can see above, window.location is read/write accessible across domains. Under same-origin policy, a frame is permitted to re-assign the location property of another frame. Use of the sandbox property would be the correct way to block such cross-origin frame access in modern browsers.

You might also be interested in reading the OWASP Clickjacking Defense Cheat Sheet page which has information on this technique of preventing a site from being framed, and some less-affective countermeasures that can be used in legacy browsers.

Upvotes: 1

Related Questions