How can I disable someone from loading a page in an iframe and using javascript to submit?

Question

Title says it all.

Imagine this:

<!DOCTYPE html>
<html>
<head>
</head>
<body>
<iframe style="display:none" name="xxx"></iframe>
<form method='POST' action='http://MYPAGE.com/account/' target="xxx" id="xxx">
  <input type='hidden' name='xxxxxxx' value='yyyyyyyy'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("xxx").submit()</script>
</body>

How can I disable an attack like that?

If the page in the iFrame is a different domain (even sub domain) it will NOT have access to the parent. http://stackoverflow.com/a/3420026/1861459 — pherris, Mar 08 '14 at 05:21
@pherris — The question isn't about the iframe having access to the parent, it is about the page submitting a form to `http://MYPAGE.com/account/` — Quentin, Mar 08 '14 at 07:14
This is answered by the CSRF tag wiki: http://stackoverflow.com/tags/csrf/info — Quentin, Mar 08 '14 at 07:16

score 1 · Accepted Answer · answered Mar 08 '14 at 15:48

Use the X-Frame-Options and set it to DENY or SAMEORIGIN. DENY will completely deny anybody from framing the page in an iframe and SAMEORIGIN will only allow the same origin to display the page in an iframe. See https://coderwall.com/p/kdv1hw for more information.

How can I disable someone from loading a page in an iframe and using javascript to submit?

1 Answers1