javascript - Securing script injection and execution on third party iframes -


i want able inject scripts iframed page (hosted on 3rd party server) within page served out of own server (to visualize changes wysiwygapp).

since have small stub script on 'target' page, guess have method allows arbitrary script execution of whatever passed it. doesnt sound secure, since open attack vector neat xss. 1 of ideas had securing passing sort of token alongside scripts want run, stub client code check server, , execute scripts. make sense? point me precedents perhaps?

many thanks

first off, sounds control small amount of code in actual iframe. rather proposal of allowing others inject script via stub (which open sorts of attacks), why don't put actual "safe" code want in iframe , notify parent frame of results?

second off, there zillion web pages written safe cross-domain iframe communication. since i'm still not sure you're trying do, may need searching , find mechanism works best you. google search "safe cross domain iframe communication" finds ton of information.

third, article came across , liked best cross domain communication iframes , safest technique looks postmessage because shares data only, doesn't allow code calling , can check origins trusts, though postmessage available in newer browsers have fall 1 of other techniques works in older browsers too. here's jquery plugin uses postmessage when available , falls technique when not.

if info isn't enough, please tell more you're trying in iframe or information you're trying pass between 2 origins?


Comments

Post a Comment

Popular posts from this blog

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

java - Output of Eclipse is rubbish -

i want write program in eclipse language different english. when display output using system.out program, displays output correctly in console editor. when accept input console , output it, output rubbish. how can solve it. many thnaks i'm not sure if problem, have character encoding problem. make sure you're using unicode, utf-8. you can read more @ official docs converting non-unicode text .
Read more

jquery - Confused with JSON data and normal data in Django ajax request -

i read json internet still have not got grasp of it. reading article http://webcloud.se/log/ajax-in-django-with-jquery/ i not understood first part function using json def xhr_test(request, format): if request.is_ajax(): if format == 'xml': mimetype = 'application/xml' if format == 'json': mimetype = 'application/javascript' data = serializers.serialize(format, examplemodel.objects.all()) return httpresponse(data,mimetype) # if want prevent non xhr calls else: return httpresponse(status=400) my main problems are from function getting format variable does format json mean data given function json or data recived json can give me simple example ouput of function data = serializers.serialize(format, examplemodel.objects.all()) how use data when response in jquery function if don't use json in above function how input , response chnage thanks ...
Read more