0

In the following code when you press submit, the iframe is loaded with the url mentioned in the textbox. Is this not the violation of not allowing cross domain request ? I am using mozilla 14.0.

<!DOCTYPE html>
<head>
<script>
function myFunction()
{
document.getElementById("site").src=document.getElementById("web").value;
}
</script>
</head>
<body> 
<input id="web" type="text" name="user">
<input type="submit" value="Submit"  onclick="myFunction()"> <br/>
<iframe id="site" src="" width="1200" height="1200"></iframe>

</body>
</html>
Ashni Goyal
  • 819
  • 3
  • 10
  • 20

4 Answers4

1

No, it's not a violation, It's perfectly valid.

The same origin policy prevents access to methods and properties across pages on different domains. It also prevents modifying the included webpage. But does not prevent you from including it as a whole (and even interact with it in a limited way).

Basically, this policy prevents Website A to pose as User on Website B.

Example

Imagine youvisit into your bank account (bank.com). When you log in, the bank website generates a "user environment" for you, giving you access to restricted content. Also, it enables you to make modifications to your bank account through http requests (either form submission or an Ajax request).

The website trusts you because you've proved that you are who you say you are and you trust the website because you know that for all intents and purposes, no one but you can interact with your bank website while you're in that secured environment.

Now imagine you visit a malicious website on another tab (evilweb.com) that has an iframe with your bank website. Without this policy, evilweb.com could pose as YOU, gaining access to the restricted area, reading DOM information (bank account number, etc...) and even interact with it, clicking in the Transfer funds button and cleaning your bank account. That iframe could even be hidden.

However, nothing prevents evilweb.com from "downloading" the the public contents of bank.com, the same way nothing prevents me from accessing a public website even if I don't posses access credentials.

So... Posing as an user is different from making a request

So, basically, evilweb.com can make requests directly to bank.com, but it cannot piggyback on you and make requests on your behalf.

Tivie
  • 18,864
  • 5
  • 58
  • 77
  • 1) You are saying I cannot use the javascript to modify the content of the `iframe` (in this case) ? – Ashni Goyal Feb 08 '13 at 16:54
  • 1) With javascript you can modify some things (i will add this to the answer) 2) You don't need an iframe to access another websote content. You cannot read the iframe source as it is seen by the user, just what you would see if you open that website in another tab, for example – Tivie Feb 08 '13 at 17:13
  • @Ashni: 1) yes. 2) use a proxy – Bergi Feb 08 '13 at 17:13
  • @Borgi He can modify the url of the iframe, although the page would not reload – Tivie Feb 08 '13 at 17:16
  • @Tivie w/o iframe , how do i embed the external webpage ? I would need the html source code as string and then display it using JS. But how to get source code ? – Ashni Goyal Feb 08 '13 at 17:18
  • @Bergi also communication between webpages in different domains using iframes is possible (if you control both ends) using iframe nesting. – Tivie Feb 08 '13 at 17:18
  • @Tivie: Yes, of course there are some methods that allow cross-domain-messaging. However, you never will get direct access to the other page. – Bergi Feb 08 '13 at 17:22
  • @AshniGoyal http://stackoverflow.com/questions/5059302/cannot-load-an-external-page-with-jquery-load-into-a-div-in-my-page – Tivie Feb 08 '13 at 17:29
  • @Tivie that was a great explanation. Consider adding it to wikipedia. My question is , can evilweb.com access the html source code of bank.com, which it has iframed ? I am asking this because i cannot see the source code of iframe content after right click. – Ashni Goyal Feb 08 '13 at 18:41
  • @Tivie It will be nice of you if you could help me with this http://stackoverflow.com/questions/14779467/html-source-code-of-external-webpage-as-string – Ashni Goyal Feb 08 '13 at 19:27
0

No. There is no data being transferred between one domain and the other.

From a security perspective it is totally irrelevant if the URL you navigate the frame to comes from user input or from any other source.

If you tried to pull data from inside the iframe to the outside world or to manipulate the contents of the iframe, that would be a violation of the same-origin policy and it would fail.

Jon
  • 428,835
  • 81
  • 738
  • 806
  • So under the policy , is it possible to get the html source code of an external page as string ? or the policy prevents that. – Ashni Goyal Feb 08 '13 at 16:26
  • @AshniGoyal: Sure it's possible. You can make an HTTP request to anyone, and if they respond you get the response as a string (whatever it is). – Jon Feb 08 '13 at 16:29
  • Are you suggesting that I need to have permission from that webpage owner? or there are `javascript/ajax` ways to get the html source code of external webpage as a string without anybody's consent (like what I did in this code)? – Ashni Goyal Feb 08 '13 at 16:35
  • The same origin policy does not prevent moving *content* across domains (otherwise how would Google be able to put ads on your page?). It prevents a page from one domain tap into *the browser's internal state* for a page from another domain. – Jon Feb 08 '13 at 16:37
0

No, it's okay to load the page. However, you will not be able to access the contents of the iframed cross-origin document.

Bergi
  • 630,263
  • 148
  • 957
  • 1,375
  • So under the policy , is it possible to get the html source code as string ? or the policy prevents that. – Ashni Goyal Feb 08 '13 at 16:21
  • You can get the html source of any public webpage. – Tivie Feb 08 '13 at 16:28
  • @Tivie so if i can get the html code of an external webpage, is that not violation of one domain policy ? – Ashni Goyal Feb 08 '13 at 16:30
  • @Tivie: No, not really. Not from JavaScript embedded in a page on a different domain, at least. The SOP is because not all webpages are public (password-protected, intranet-only, etc), and the browser does not know whether only the user can see it. So he prevents other JS from seeing what the user is allowed to see on other domains. – Bergi Feb 08 '13 at 16:59
  • @Bergi you are saying it is not possible to get the html code of an external webpage ? – Ashni Goyal Feb 08 '13 at 17:08
  • @AshniGoyal: Yes, unless somehow explicitly allowed by the external page. Read more on http://en.wikipedia.org/wiki/Same_origin_policy. The simplest workaround will be a proxy at your domain. – Bergi Feb 08 '13 at 17:12
  • @Bergi I wanted to avoid proxy. – Ashni Goyal Feb 08 '13 at 17:14
  • @AshniGoyal: You will have to. Everything else will load the page from the users' (logged-in?) perspective, and needs to prevent access. – Bergi Feb 08 '13 at 17:17
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/24201/discussion-between-ashni-goyal-and-bergi) – Ashni Goyal Feb 08 '13 at 17:22
0

The JavaScript isn't doing anything with the external page so there is no cross domain issues. All you code does is tel the iframe to load a url.

Ash Burlaczenko
  • 24,778
  • 15
  • 68
  • 99