I am curious, what makes www.jsfiddle.net secure from XSS based attacks? They have a support for accounts so clearly any script they run on the browser may do evil things.
Asked
Active
Viewed 2,272 times
26
-
2The code is actually running in an iframe so it can't directly take access of the parent. – JohnP Jul 18 '11 at 11:57
-
Ah, so it runs within an iframe which has a different Origin? Is that all? Make it an answer so I can accept it :) – Tower Jul 18 '11 at 12:04
-
3I'm voting to close this question as off-topic because it belongs to https://security.stackexchange.com/ – Shankar Narayana Damodaran Jul 08 '19 at 09:26
1 Answers
25
If you look at the results pane for a fiddle you'll notice that it's actually an IFRAME pointing to a different domain which means that built in security will kick in which generally prevents access to the parent window.
This fiddle for example : http://jsfiddle.net/jomanlk/y9zCK/
Is actually served by : http://fiddle.jshell.net/jomanlk/y9zCK/show/
JohnP
- 49,507
- 13
- 108
- 140
-
4I'd like to add that you can login at http://fiddle.jshell.net/. This could be abused by hackers redirecting to that page, asking the user to login and then spy the session id. – Yogu Nov 24 '11 at 19:52
-