iframe-widget-test icon indicating copy to clipboard operation
iframe-widget-test copied to clipboard

Published 20 hours ago verified publisher icon agibralter

Metadata

This is a proof-of-concept for using the post-to-iframe method of setting cookies for x-domain iframe requests. Facebook uses this method for iframe canvas page apps.

See the images in screenshots/ to see how this works in browesrs.

Basically what happens is we request a page on the iframe-widget-test-base domain which generates a random token. Then with JS on page load, we submit a form that has the iframe as the target. The form action url is, of course, a separate domain: iframe-widget-test-frame. In that request to the frame we set a cookie in the response to the randomly generated token. We then use JS in that frame to show that the cookie is indeed set for the frame's domain. As a control, we load another iframe (on the right in the pictures) with a normal GET request (iframe's src attribtue) on the same domain as the base page (iframe-widget-test-base) to show that no cookie gets set for the base page. Finally, to show that the x-domain iframe is indeed isolated, we try to use JS in the base page to access the title of the frame. In the x-domain iframe, we cannot access the title (browser security enforces that JS cannot communicate between frames with different domains). In the same-domain iframe, we can access the title.

To run this yourself...

This test requires entries in /etc/hosts; e.g.:

127.0.0.1 iframe-widget-test-base.urtak.com
127.0.0.1 iframe-widget-test-1.urtak.is
127.0.0.1 iframe-widget-test-2.urtak.is
127.0.0.1 iframe-widget-test-3.urtak.is
127.0.0.1 iframe-widget-test-4.urtak.is

Run with shotgun: bundle exec shotgun.

Also, somehow, you'll need to forward requests to port 80 to 9393 (for use with shotgun).

Navigate to http://iframe-widget-test-base.urtak.is/ in your browser.

Currently the post-to-iframe technique works in:

  • FF3+
  • IE6+
  • Chrome (every version I've tried...)
  • Opera (9+ I think...)
  • Safari (before v6)
  • mobile Safari (before iOS v6)

Safari 6+ and mobile Safari in iOS 6+ threw a wrench in the whole technique though. It looks like localStorage works in cross-domain iframes, though, so that may provide a work around for the future (requires application rearchitecting).

Chrome with "block third party cookies and site data" does not even allow localStorage.

Metadata

67
Stars
16
Forks
Watchers

Owner

verified publisher icon agibralter

Metadata

Back