iframe-resizer icon indicating copy to clipboard operation
iframe-resizer copied to clipboard

Published 20 hours ago verified publisher icon davidjbradshaw

What is preventing the IFrame from receiving events from other parent pages?

Open perandtim opened this issue 3 years ago • 2 comments

I'm not an expert at all on iFrame messaging security, so please forgive me if there's something "built in" to how container-to-iFrame child messaging works.

I can see how the "parent" iframeResizer code is doing an 'allowed Origin" check, but it appears that the "child" iFrame's iframeResizer.contentWindow code is not executing a similar check verifying that it's parent page is not a malicious source.

Is there some internal iFrame messaging security that prevents the child from receiving events from unauthorized web pages?

perandtim avatar Mar 18 '22 20:03 perandtim

There is an option to set this in the iframe

https://github.com/davidjbradshaw/iframe-resizer/blob/master/docs/iframed_page/options.md

davidjbradshaw avatar Mar 20 '22 01:03 davidjbradshaw

Awesome-- thanks!

I've said it a million times, the human brain was not designed for social media. You are NOT supposed to be able to instantly find an unlimited amount of people to agree with whatever crap you think.

In monkey times if everyone was scared of the lion it made sense for you to be too, now you can choose your own lion and choose your own monkeys and convince yourself of anything.

-- Reddit user 2SPOOKY4ME https://www.reddit.com/user/2SP00KY4ME/, random post

On Sat, Mar 19, 2022 at 6:33 PM David J. Bradshaw @.***> wrote:

There is an option to set this in the iframe

https://github.com/davidjbradshaw/iframe-resizer/blob/master/docs/iframed_page/options.md

— Reply to this email directly, view it on GitHub https://github.com/davidjbradshaw/iframe-resizer/issues/1046#issuecomment-1073144647, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGDFPOUYNFUIY4TBJMXK3DVAZ55RANCNFSM5RCZZE3A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

perandtim avatar Mar 21 '22 15:03 perandtim