3

The header is used to allow cross domain requests in IE through iframes. I've tested adding this, and my code executes as expected now in IE.

What possible harm could come from adding this header?

EnjoyTheVibez
  • 128
  • 6

1 Answers1

2

It depends... Do you trust everyone you frame? Do you trust everyone that are framing you? Do you know that I don't frame you, and then alter the content of you page?

There is a proper HTML5 solution for this: postMessage (se e.g. http://html5demos.com/postmessage2). This lets you set up trust relationships etc.

jQuery even has a wrapper plugin that encapsulates this, and uses an #anchor trick if the browser does not support the HTML5 postMessage:

http://benalman.com/projects/jquery-postmessage-plugin/ http://plugins.jquery.com/plugin-tags/postmessage

Be security aware, don't turn off browser-enabled security features... :)

Erik A. Brandstadmoen
  • 10,430
  • 2
  • 37
  • 55
  • I like the alternatives you've mentioned, however, HTML5 is not something I'm able to use right now. The jQuery wrapper has promise, I'll need to look into it more. Lets say I want to continue down the p3p path, if I catch the referring URL and only execute the addition of the p3p header against a verified host, would that thwart any would-be trust issues? – EnjoyTheVibez Aug 01 '11 at 19:57
  • How do you plan on "catching" the URL? How do you stop sites framing you from just updating your DOM or changing the code or calling arbitrary scripts in your site? – Erik A. Brandstadmoen Aug 01 '11 at 20:00
  • Thanks for the help. I'll need to search for a alternative, safer, route. – EnjoyTheVibez Aug 02 '11 at 12:46
  • I think the postMessage (combined with the fallback solutions) of the jQuery plugin is a safe way to go. It is designed for this kind of communication. – Erik A. Brandstadmoen Aug 02 '11 at 13:46