This repository has been archived by the owner on Nov 13, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16
agibralter/iframe-widget-test
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This is a proof-of-concept for using the post-to-iframe method of setting
cookies for x-domain iframe requests. Facebook uses this method for iframe
canvas page apps.
See the images in screenshots/ to see how this works in browesrs.
Basically what happens is we request a page on the iframe-widget-test-base
domain which generates a random token. Then with JS on page load, we submit
a form that has the iframe as the target. The form action url is, of course,
a separate domain: iframe-widget-test-frame. In that request to the frame we
set a cookie in the response to the randomly generated token. We then use JS in
that frame to show that the cookie is indeed set for the frame's domain. As
a control, we load another iframe (on the right in the pictures) with a normal
GET request (iframe's src attribtue) on the same domain as the base page
(iframe-widget-test-base) to show that no cookie gets set for the base page.
Finally, to show that the x-domain iframe is indeed isolated, we try to use JS
in the base page to access the title of the frame. In the x-domain iframe, we
cannot access the title (browser security enforces that JS cannot communicate
between frames with different domains). In the same-domain iframe, we can
access the title.
To run this yourself...
This test requires entries in /etc/hosts; e.g.:
127.0.0.1 iframe-widget-test-base.urtak.com
127.0.0.1 iframe-widget-test-1.urtak.is
127.0.0.1 iframe-widget-test-2.urtak.is
127.0.0.1 iframe-widget-test-3.urtak.is
127.0.0.1 iframe-widget-test-4.urtak.is
Run with shotgun: `bundle exec shotgun`.
**Also, somehow, you'll need to forward requests to port 80 to 9393 (for use
with shotgun).**
Navigate to http://iframe-widget-test-base.urtak.is/ in your browser.
Currently the post-to-iframe technique works in:
- FF3+
- IE6+
- Chrome (every version I've tried...)
- Opera (9+ I think...)
- Safari (before v6)
- mobile Safari (before iOS v6)
Safari 6+ and mobile Safari in iOS 6+ threw a wrench in the whole technique
though. It looks like localStorage works in cross-domain iframes, though, so
that may provide a work around for the future (requires application
rearchitecting).
Chrome with "block third party cookies and site data" does not even allow
localStorage.
About
No description, website, or topics provided.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published