Why is top window forbidden from accessing frames inside it? (unless content from same server)_问答_开发者

Why is top window forbidden from accessing frames inside it? (unless content from same server)

开发者 https://www.devze.com 2023-04-06 01:49 出处：网络

开发者_如何学编程I understand the reason for forbidding iframes from accessing the top window, but the other way around it seems a bit unnecessary and restricting of innovative applications.It\'s actu

开发者_如何学编程I understand the reason for forbidding iframes from accessing the top window, but the other way around it seems a bit unnecessary and restricting of innovative applications.

It's actually more dangerous to be able to access content in a child window, because the top window is "in control" (i.e., the top window chooses which page to display in the iframe). Technically the threat is the same either way, but it makes it a lot easier for a malicious web site if it can host it's own iframes, rather than hope it gets embedded in a target site.

By preventing access to the contents when they're cross-domain, it prevents a whole host of XSRF and XSS attacks. For example, if I was running a malicious web site, I could simply place hidden iframes on my page to dozens of popular sites, whether they be social networking, e-mail, financial, etc. If you were already authenticated against any of them, your browser would send your session cookies along, even within the iframe, and the iframe would serve an authenticated page with secure content.

This is obviously really bad if the parent window can scrape the child window or inject new JavaScript into the child window to be executed.

Because this would allow you to relatively invisibly put a site like paypal.com in an iframe and then change that site, thus deceiving the user (and perhaps capturing the credentials or bank account information entered).

One web site is not allowed to modify the behavior of another site, purely from the web. Modifying the behavior of a site can be done with browser plug-ins or with add-on frameworks like greasemonkey, but the user has to choose to install those capabilities and there's an assumption that they only install capabilities they trust (not always true, but that's what it relies on).

It's potentially even more dangerous for the top level frame to be able to access the embedded frames because the top level frame gets to decide which sites to put in the embedded frames and thus attack/mess with.

It's the same issue as child to parent. You don't want the chance of malicious sites messing with the content of valid sites they just happen to be in the same browser window with.