https://github.com/hazcod/iframe-token-example

Example case on how to pass a confidential token to iframe contents in a somewhat secure way.
https://github.com/hazcod/iframe-token-example

Last synced: 4 months ago
JSON representation

Example case on how to pass a confidential token to iframe contents in a somewhat secure way.

Host: GitHub
URL: https://github.com/hazcod/iframe-token-example
Owner: hazcod
Created: 2019-04-26T06:33:46.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2019-04-26T08:36:11.000Z (about 7 years ago)
Last Synced: 2025-09-08T05:56:27.882Z (10 months ago)
Language: HTML
Homepage:
Size: 5.86 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# iframe-token-example
Example case on how to pass a confidential token to iframe contents in a somewhat secure way.

This case expects the token to be a single-use token.

## iframe sandbox
Whenever you activate the iframe sandbox, the origin of the framed page will be set to 'null'.
So it will not longer be possible to execute a `frame.contentWindow.postMessage(token, 'http://my-framed-origin');`.
If we use `frame.contentWindow.postMessage(token, '*');` however, it will work since we are broadcasting to everything in the frame.

The question here is what we think is the least of all evil:
1. Enable sandbox, preventing breakout from the framed page to our own, but having the token leaked to all of the framed contents origins.
2. Leave sandbox disabled, allowing breakout from the framed page but only sending the token to a single origin in the frame.

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/hazcod/iframe-token-example

Awesome Lists containing this project

README