{"id":20666198,"url":"https://github.com/hazcod/iframe-token-example","last_synced_at":"2026-02-14T14:33:21.217Z","repository":{"id":72455646,"uuid":"183571306","full_name":"hazcod/iframe-token-example","owner":"hazcod","description":"Example case on how to pass a confidential token to iframe contents in a somewhat secure way.","archived":false,"fork":false,"pushed_at":"2019-04-26T08:36:11.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-09-08T05:56:27.882Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hazcod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-26T06:33:46.000Z","updated_at":"2019-04-26T08:36:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"f7beecaf-c428-46f7-a1a8-45046ff9089a","html_url":"https://github.com/hazcod/iframe-token-example","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hazcod/iframe-token-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hazcod%2Fiframe-token-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hazcod%2Fiframe-token-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hazcod%2Fiframe-token-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hazcod%2Fiframe-token-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hazcod","download_url":"https://codeload.github.com/hazcod/iframe-token-example/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hazcod%2Fiframe-token-example/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29447274,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T14:10:32.461Z","status":"ssl_error","status_checked_at":"2026-02-14T14:09:49.945Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T19:35:48.264Z","updated_at":"2026-02-14T14:33:21.199Z","avatar_url":"https://github.com/hazcod.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# iframe-token-example\nExample case on how to pass a confidential token to iframe contents in a somewhat secure way.\n\nThis case expects the token to be a single-use token.\n\n## iframe sandbox\nWhenever you activate the iframe sandbox, the origin of the framed page will be set to 'null'.\nSo it will not longer be possible to execute a `frame.contentWindow.postMessage(token, 'http://my-framed-origin');`.\nIf we use `frame.contentWindow.postMessage(token, '*');` however, it will work since we are broadcasting to everything in the frame.\n\nThe question here is what we think is the least of all evil:\n1. Enable sandbox, preventing breakout from the framed page to our own, but having the token leaked to all of the framed contents origins.\n2. Leave sandbox disabled, allowing breakout from the framed page but only sending the token to a single origin in the frame.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhazcod%2Fiframe-token-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhazcod%2Fiframe-token-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhazcod%2Fiframe-token-example/lists"}