Reputation: 2770
Securing script injection and execution on third party iframes
I want to be able to inject scripts into an iframed page (hosted on a 3rd party server) within a page served out of my own server (to visualize changes for a wysiwygapp).
Since I have a small stub script on the 'target' page, I could I guess just have a method that allows arbitrary script execution of whatever is passed to it. Obviously this doesnt sound like something that is secure, since it would open an attack vector for some neat XSS. One of the ideas I had for securing it was passing some sort of token alongside the scripts I want to run, which the stub client code would check with a server, and only then execute scripts. Does this make sense? Could anybody point me to any precedents perhaps?
Many thanks
Upvotes: 2
Views: 955
Answers (1)
Reputation: 707148
First off, it sounds like you control a small amount of code in the actual iFrame. Rather than your proposal of allowing others to inject a script via that stub (which would open you up to all sorts of attacks), why don't you put the actual "safe" code that you want in the iframe and then just notify a parent frame of the results?
Second off, there are a zillion web pages written about safe cross-domain iframe communication. Since I'm still not sure exactly what you're trying to do, you may need to just do the searching yourself and find the mechanism that works best for you. A Google search for "safe cross domain iframe communication" finds a ton of information.
Third, the article I came across and liked the best is Cross Domain Communication with iFrames and the safest technique looks like postMessage because it shares data only, doesn't allow code calling and can actually check for origins that it trusts, though postMessage is only available in newer browsers so you would have to fall back to one of the other techniques that works in older browsers too. Here's a jQuery plugin that uses postMessage when available and falls back to another technique when not.
If this info isn't enough, then please tell us more about what you're trying to do in the iFrame or what information you're trying to pass between the two origins?
Upvotes: 3
Related Questions
- can i allow malicious code to run on my site?
- From a security perspective is it OK to have a third-party inject entire HTML into iframe?
- Executing HTML5/Javascript Within An iFrame Securely
- Understanding 3rd party iframes security?
- Security Risks of Including a 3rd Party iFrame
- iFrame Security Risks from Embedding by Hacker
- Complete isolation of javascript in the iframe from the same domain
- preventing iframe security issue
- Using iframes to protect the rest of a page from scripts in 3rd party proxied-in div
- Iframe Security Issues