i've a question about cookie and domains.
Suppose I drop a cookie to a user from domain www.firstdomain.com. Suppose the user visits another page under the domain: www.seconddomain.com. How can I access to my cookie previously set from this page?
I know that access to a cookie with domain=firstdomain from a domain=seconddomain is not possible, but if I've the possibility to use an iframe on the page www.seconddomain.com and I load the iframe from www.firstdomain.com/something, then can I access to my cookie?
Thank in advance,
Alessio
You are flying in the face of internet security and privacy - so while it is possible to do this today you need to anticipate some issues in the future.
It is possible to implement javascript handlers to set and get values from a cookie and the call from different iframes. This I expect is the safest route.
The iframe would have to consent by implementing helper functions to perform these tasks so things remain controlled.
The iFrame would have permission to read the cookie and then can communicate to the parent iframe using a call to the parent window.
An example is here:
How to Call Parent Window JavaScript Function inside iframe
Related
I can register service worker via iframe. When I try to run "pushManager.subscribe" I have:
DOMException: Registration failed - permission denied
This problem is only in Chrome via iframe. It works good in Firefox. And it works good without iframe in Chrome
You cannot use an iframe, it isn't allowed.
The permission request must be performed from the top level window.
The only alternative (that we have used for Pushpad Express for example) is to redirect to / open a new window from the iframe, then ask permission from the top level window and finally redirect back.
This is meant to make it clear for the user which website is asking the permission for push notifications. Otherwise the fear is that an ad for example may show a prompt for push notifications and that would be misleading.
BTW I had also suggested to add a new value to the sandbox attribute of iframes in order to allow prompts for push notifications, but the spec currently doesn't support it.
Long story short, you can't!
The path you are registering service worker on must be opened (be a top level domain) for it to register a service worker.
One way to achieve this is:
suppose your iframe looks like this:
<iframe src="https://example.com"></iframe>
use postMessage to communicate with iframe and ask for permission and then window.open("https://example.com/") to register the service-worker and fetch the token.
Hope this helps :)
Chrome requires you to subscribe to push from a top level domain since otherwise it is less clear what origing is the user allowing push to.
I am trying to add a hyperlink to an area of another website requiring login to view files. The target website will be a photo gallery website which then will be accessible on my website.
My question is this. Is it possible to encode login information into a hyperlink therefore bypassing login when hyperlink is clicked? Please let me know your thoughts.
Short answer: Client-side, this would be near-impossible, considering you cannot send form data via a hyperlink (though you can receive it, but then that gets dynamically added to the URL via method POST.) You can do this, however, by using Javascript by using a submit button (if the page doesn't have protection against csrf) which can dynamically inject parameters via a form, but then you would need a POST request cross-domain which is where my point with needing admin access comes in;
If you were to attempt to do this server-side, you would have to have admin access to both sites, certainly not just to site A. From then you can inject parameters into the hyperlinks via server-side scripting languages such as PHP or Python, which would then add the required information to the form upon landing on site B. But you must (must) be careful, this opens up the potential of a serious security compromise depending on how you allow users to log in to your site. Assuming it's yours. Either way, this is still a bad idea, which concludes to my
Shorter answer: No.
I'm maintaining an application that goes sort of like this:
There is a Page A with a Frame that shows Page B. Now page B is part of a completely different product in a separate domain.
Now, they want that when an option in B is clicked, the WHOLE page is redirected to another page in A. The problem is that the url of A is something like www.client.A.com/Order/Details/123, and when we click in be it should redirect to something like www.client.A.com/Order/Edit/123 but B doesn't know anything about A. It doesn't know which order # is currently selected or anything about A. Page A who has the frame B does know it.
For now my solution has been to just redirect to the AllOrders so something like client.MyCompany/Orders
but since B doesn't know which client is calling it (its a multi-tenant app), I'll add it in the webconfig. (so each client has its own webconfig with a different value).
I dont find this solution optimal but I can't think of anything else! I already tried putting the needed url in page A in a hidden Div (since A does know all the info) and then trying to read the whole DOM of the page from B to find it.... unfortunately I can only get access to Frame B's DOM... (I tried with jquery).
I know frames are evil, but this is how it is written... any ideas?
Thanks!
If the parent page A and the iframe page B are in different domains, you will not be able to access methods or fields via B's parent property, nor will script in A be able to reach into B's content, nor will you be able to share global variables between A and B. This boundary placed between page A and page B is a key part of the browser security model. It's what prevents evil.com from wrapping your online bank web page and stealing your account info just by reading the internal variables of the javascript of the bank's web page.
If you have the luxury of requiring the latest generation of browsers, you can use the postmessage technique mentioned in one of the other answers here. If you need to support older browsers, you may be able to pass small amounts of information using cross-domain client scripting techniques in the browser. One example of this is to use iframes to communicate info between the outer page A and the inner page B. It's not easy and there are many steps involved, but it can be done. I wrote an article on this awhile ago.
You will not be able to monitor clicks in B's iframe from the parent page A. That's a violation of browser security policies at multiple levels. (Click hijacking, for one) You won't be able to see when B's URL changes - A can write to the iframe.src property to change the URL, but once the iframe.src points to a different domain than A's domain, A can no longer read the iframe.src property.
If A and B are in different subdomains of the same root domain, you may have an opportunity to "lower" the domain to a common root. For example, if the outer page A is hosted in subdomain A.foo.bar.com, and B is hosted in subdomain foo.bar.com, then you can lower the domain in page A to foo.bar.com (by assigning window.domain = "foo.bar.com" in A's script). Page A will then behave as a peer of page B and the two can then access each other's data as needed, even though A is technically being served from a different domain than B. I wrote an article on domain lowering, too.
Domain lowering can only peel off innermost subdomains to operate in the context of a root domain. You can't change A.foo.bar.com to abc.com.
There is also a slight risk in lowering domains to a common root domain. When you operate your page in its own subdomain, your html and script are segregated from the other subdomains off the common root domain. If a server in one of the other subdomains is compromised, it doesn't really affect your html page.
If you lower your page's domain to the common root domain, you are exposing your internals to script running on the common root domain and to script from other subdomains that has also lowered its domain to the common root. If a server in one of the other subdomains is compromised, it will have access to your script's internals and therefore it may have compromised your subdomain as well.
in case the page & frame are not on the same domain, you'll have to use postmessage as the same-domain policy prohibits normal javascript-communication between pages/frames of different domains because of security concerns.
postmessage is part of html5 and works in all modern browsers (including IE8). if you need support for older browsers (specifally IE6/7), you could use the jQuery postmessage plugin (which transparently falls back to some nice hash-tag trickery for older browsers).
and as a sidenote: not sure if frames are evil, there are some problems (usability, SEO, ...) related to them, but i did some research and most of these can be tackled i think.
If you want to communicate between frames in javascript you can use 'parent':
If frame A has a variable value, eg:
var orderNo = 2;
For frame B to read it it would refer to
var frameA_orderNo = parent.frames[0].orderNo;
(assuming that frame A is the first frame declared)
So you can set up global variables within each frame that the other frame can read and therefore you can get the order # in old fashioned javascript (never tried it in jquery).
Wow frames - never thought I'd think about them again.
I have a page on a website that contains a secure form inside an iframe. Although the form data submitted is secure the page doesn't appear secure as the URL in the browser is just HTTP. Is there anything I can do to show the users that the form is secure?
Although the form data submitted is secure
It may or may not be encrypted. But it's not secure, and the browser is absolutely correct to deny you a padlock icon.
If the parent page is http, then that page could easily have been altered by a man-in-the-middle attack to point the usually-secure <iframe> to a completely different server to the expected one. Or, the parent page might have had JavaScript injected into it to log any keypresses you make into the form and send them to the attacker's server.
The user would have no way of checking whether this had happened, short of viewing the page source and reading and understanding every line of markup and script inside it. This is absolutely unrealistic.
If you aren't on a page where all content is secured by https, any submission from that page is insecure, regardless of where the form action is pointed.
Open the form in a new window or host the container page on a secure server. Users have a right to be skeptical of an insecure page hosting a supposedly secure page -- it's practically begging for XSS attacks.
Whether the host page is secured or not, placing https secured pages inside an iframe is not a good idea. Even https pages are not invulnerable to xss and MIM attacks. The only way to avoid any confusion as to which domain/web server your web browser is talking to is go direct to the source page - i.e. the one you are trying to put inside your iframe.
Iframes are a convenient way to quickly include content from another page/site, but they open up a whole bunch of opportunities to the dishonest!
Nothing that will trigger the usual browser "This is secure" indicators.
I have a problem where I have a frameset consisting of a parent frame loaded from one domain and a contained frame from a different domain. The contained domain also sets a cookie before the frameset is loaded. However, because of the 'same orgin' policy, enforced by most browsers, a contained frame will not pass cookies if it is not from the same domain as the parent.
Unfortunately I have no control over the parent frame (or its url) and the url for the contained frame is effectively static. So the only way to pass information to the contained site is via cookies.
The only solution I have come up with is to reload the contained domain in the parent frame but this negates some of the value of using frames in the first place.
Does anyone have a better work around for this problem?
There are a couple of methods of getting around the Same Origin Policy that is preventing your iframes from speaking to each other. If you control both servers then you can use Flash's crossdomain.xml file. If you don't control one of the servers or you would like to use JavaScript, then you are forced to use a "Cross-Domain Proxy", such as this one for java or python or php.
Cross-Site XHR is another option but it isn't supported by all browsers.
There are a lot of ways to do this. Here are two that I've used:
Have both the parent and child load
a script from a common source, using
a tag. Scripts loaded in
this way don't have same-origin
issues, and the data they return
becomes part of the document object
and can interact with other scripts
loaded by the document (this is the
way that AJAST works).
Create a reverse proxy in the parent domain, and load the frame via this proxy. To the browser, it appears that they're both served from the same domain. The downside is that this can affect caching, and bypasses any content delivery network (eg, Akamai) that you might be using.
There is also a right way of doing this in HTML 5 with postMessage.
See here: http://ajaxian.com/archives/cross-window-messaging-with-html-5-postmessage
One more thought in to this, where u can use Cross Domain Messaging API to send messages from one frame to another. here is an example! Read more on this.