0

This question treats about javascript code running in a browser (client-side).

Say I know I am in an iframe, can I trust window.parent.location or document.referrer to actually be the true url of the parent of my iframe?

In other words, assuming that the user's browser does a correct job of following CORS specifications, could evil.com iframe my page in such a way that window.parent.location or document.referrer is not evil.com ?

epascarello
  • 204,599
  • 20
  • 195
  • 236
Sinder
  • 273
  • 1
  • 11
  • 1
    So you delete the one and make another? – epascarello Dec 23 '20 at 18:23
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options – epascarello Dec 23 '20 at 18:25
  • As stated in the question you deleted... You can not even be sure it is a browser – epascarello Dec 23 '20 at 18:26
  • 2
    He does say *assuming that the user's browser does a correct job of following CORS specifications*, which seems like a reasonable assumption to me. I'd be pretty confident that the properties you refer to are trustworthy, but I'm not 100% sure. – CertainPerformance Dec 23 '20 at 18:28
  • @epascarello if it's not a browser, it probably isn't an authenticated user either. This question is not about protecting me from "not a browser" scenarios, but from evil websites iframing my page, pretending to be other websites – Sinder Dec 23 '20 at 18:29
  • @Sinder not hard to get cookies and send it – epascarello Dec 23 '20 at 18:33
  • @epascarello I am not in a server-side scenario (as the other question seemed to imply), and I do not want to prevent iframing in a not-same-origin scenario. – Sinder Dec 23 '20 at 18:34
  • I am not sure how a they would fake the parent.location..... You are talking about altering the browser.... Whitelist domains and trust the browser – epascarello Dec 23 '20 at 18:34
  • I want to know if parent.location could be faked by the parent of an iframe. I'm pretty sure it could be faked by an altered browser – Sinder Dec 23 '20 at 18:36
  • 1
    https://developer.mozilla.org/en-US/docs/Web/API/Window/location is read only https://stackoverflow.com/questions/6478617/is-it-possible-to-overwrite-window-location-function-with-a-custom-function – epascarello Dec 23 '20 at 18:50

0 Answers0