0

I have an iframe declared as

<iframe src="..." sandbox="allow-scripts">

....

</iframe>

Notice that I have not specified the allow-same-origin property.

What is the origin of the iframe? If I want to fetch a resource inside the iframe from an external domain, which origin should I allow in CORS headers?

pepper
  • 63
  • 5
  • If you’ve not specified `allow-same-origin`, then the origin of that `iframe` is null — per the requirements in the HTML spec; see https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox, which says that when an `iframe` has a `sandbox` attribute, *“the content is treated as being from a unique origin…. The `allow-same-origin` keyword causes the content to be treated as being from its real origin instead of forcing it into a unique origin”*. And that where the spec says *“unique origin”*, that means browser expose null as the origin. – sideshowbarker Jun 03 '21 at 01:01
  • To fetch a resource inside that iframe from an external orgin, then the origin you should allow in the CORS header is: all origins — i.e. `Access-Control-Allow-Origin: *`. That’s the only thing that‘d make sense in practice. In other words, to make it work you would necessarily need to also allow requests from any arbitrary origin — from all origins. The only way to lock it down further for that iframe would be to put `allow-same-origin` in the `sandbox` value, and then on the server side, generate your Access-Control-Allow-Origin value from an allow list that includes that iframe’s origin. – sideshowbarker Jun 03 '21 at 01:09
  • One question, if I have an html doc which I can fetch in my parent context, how can I host the HTML in the iframe? – pepper Jun 03 '21 at 05:50

0 Answers0