9

I'm currently in the process of implementing CSRF protection into my framework (PHP).

However I am wondering:

Wouldn't it be possible for an attacker to load my page in a (hidden) iframe (obtaining the token) and change some data using JavaScript?

And after that submitting the form?

alex
  • 479,566
  • 201
  • 878
  • 984
PeeHaa
  • 71,436
  • 58
  • 190
  • 262

1 Answers1

11

Unless the attacker's page has the same domain, protocol and port as yours (if it is, you probably have more serious problems), they won't be able to read the iframe's HTML because of Same Origin Policy.

alex
  • 479,566
  • 201
  • 878
  • 984
  • Ok kewl. I thought the Same Origin Policy only meant we couldn't do requests. – PeeHaa Jul 17 '11 at 14:10
  • @PeeHaa: It depends on the context. With an `iframe`, it means unless the domain, port and protocol match, you can not access the `iframe`'s DOM. – alex Jul 17 '11 at 14:11