restrict script inside iframe to run only within pages of same top-level domain?_问答_开发者

restrict script inside iframe to run only within pages of same top-level domain?

开发者 https://www.devze.com 2022-12-26 16:25 出处：网络

I\'d like to enforce a requirement that client script inside a page (which in turn is loaded inside an iframe of another page) will only run when the parent page is on the same top-level domain as t开

I'd like to enforce a requirement that client script inside a page (which in turn is loaded inside an iframe of another page) will only run when the parent page is on the same top-level domain as t开发者_如何学编程he framed page (although it may be on another hostname in that domain). Is this do-able?

I assume that the easy solution of looking at top.location.host won't be available due to cross-site scripting limitations, but I'm wondering if other javascript hackery could suffice.

Constraints on any potential solution inculde:

I need to be able to run XmlHttpRequest calls inside the child page, and I need to validate that the hostname is in the same domain before I make those calls. (this makes a document.domain solution challenging because AFAIK setting document.domain disables the ability to make XmlHttpRequest calls.

I can control client-side script and HTML on both parent or child (and I can create new pages if needed), but I can't make any server-side code changes.

I can't simulate the above via server-side calls or proxies, because the child page's hostname uses a forms auth system with hostname-scoped cookies that I can't get access to from the parent page since it's on a different hostname.

I don't have enough control over the child-frame site to be able to put both sites behind the same reverse-proxy or load-balancer (which would enable me to put both sites on the same hostname).

I don't actually need to access any UI inside the IFrame-- the iframe is invisible and I'm only using it to run javascript within the security context of a site on a different hostname from the parent page.

So at this point I'm stumped. Got any ideas? I want to make sure I'm not overlooking an easy solution before giving up.

setting document.domain disables the ability to make XmlHttpRequest calls

That is not true, I have done it many times. If you control both domains, why, you can use it.

Also, if you are comfortable restricting browsers to FF3+ and IE8+ (yes, the one you are thinking about does it too), you can use postMessage, a very cool HTML5 feature that lets you pass messages from window to window.

This really needs to be done by the browser. Efforts around this issue go back to 2007 or so:

IE Blog entry
Firefox issue 341604
The HTML5 sandbox attribute

This functionality is needed for all DOM elements. Ie, you should be able to specify that javascript under any DOM element should not be executed. You should also be able to specify that resource requests under a certain DOM element are restricted to certain domains, etc. Together, these would help mitigate XSS and CSRF attacks.

In any case, don't hold your breath.