0

If Site A has an iframe of Site B, and the two sites are on different domains, can Site B know (via js or something) if it's in an iframe with the allow-same-origin attribute and thwart it?

I need to reassure the administrators of site B that their site is safe within an iframe on Site A.

EDIT: This question is essentially moot as I've misunderstood what allow-same-origin means

Edge
  • 2,456
  • 6
  • 32
  • 57
  • 2
    If site B is embedded in iframe in site A and the two are on different domains, then site B is in full control. If it does not want to cooperate with site A, then site A will not get any access via the browser. – jfriend00 Feb 04 '15 at 22:35
  • So Site B, via JS, can access the iframe it's in and do with it what it wants? – Edge Feb 04 '15 at 22:36
  • 1
    Site B operates like it's own web page. It's own JS has access to it's own content and only it's own content. It does not even have to be aware of the fact that it's in an iframe of site A. It just works normally. The `allow-same-origin` attribute you speak of opens site B up to access from other documents that have the same origin of site B, but does not open it up at all to documents with a different origin. So, if site A has a different origin, then site A will have no access to site B's embedded page. It's a little hard to figure out exactly what you're asking. – jfriend00 Feb 04 '15 at 22:40
  • It's possible I've misunderstood what allow-same-origin means then. I assumed it meant that cross domain iframe could be accessed like same origin iframes. – Edge Feb 04 '15 at 22:43

1 Answers1

4

If you take the normal case of a containing web page site A that has an iframe embedded in it site B, then the browser's same-origin restrictions make it impossible for site A to access anything in site B's page unless site B specifically cooperates to allow that usually with window.postMessage() - a means of sending messages between documents, windows or frames of a different origin. By default, no access is allowed.

You refer to a sandbox attribute on the iframe allow-same-origin. When you add the sandbox attribute, things are shut-down even more so even less access is allowed. The allow-same-origin attribute brings back access from the same origin only. Since your example of site A and site B are on different origins, this should have no effect on the access between them. site A's page will still not be able to access site B's page.

jfriend00
  • 683,504
  • 96
  • 985
  • 979