It kind of makes sense that content on the same domain should be safe. Embedded content can access the complete loaded browser DOM and manipulate everything. When the content comes from the same domain, there are no default security restrictions in place. The case for re-hosting content from the same domain is even worse. That’s why, even with the cross-domain policy in place, there are still big security risks. Or, by using a similarly styled form, attempt to maliciously capture user information that way. By displaying content the user would expect, the site could attempt to phish confidential information from the user. Hosted content can still re-navigate on the top level. So, the embedded page is not able to read, for instance, cookies or the browser’s local storage for the hosted domain. If hosted content is coming from another domain, cross-domain policy comes into play and it prohibits the “foreign” content to access the parent’s document object model. There is one mechanism in place by default that prevents some kinds of attacks: the cross-domain policy. And just like the party crashers who get out of hand, you have no control what the hosted content will do. Forms can be used to retrieve user input, scripts can be executed, the page can navigate within the browser window, and browser plugins can be executed. Without you knowing…and without your approval.īrowsers handle pages that use IFRAME just like any other web page.
Content or functionality (or both) can change any time. You know what you are referencing, but you have no clue how the site will evolve in the future. You think you know who you invited, but really you have no idea who passed it on and who’ll show up. But before I get to that, let’s quickly review IFRAME element issues.Įmbedding content with an IFRAME is like announcing a party publically on Facebook. These experiences can increase security breaches to your site.ĭon’t stress…there’s a new kid on the block to help you out: The HTML5 Sandbox.
Or even just integrated web pages through an IFRAME element. Or Facebook comments discussing an article. Think Twitter widgets showing the latest tweets about a product. Today’s web applications are put together a mesh up a new experiences into one experience.
0 kommentar(er)
