restrict script inside iframe to run only within pages of same top-level domain?

Posted by Justin Grant on Stack Overflow See other posts from Stack Overflow or by Justin Grant
Published on 2010-04-14T18:03:28Z Indexed on 2010/04/17 1:13 UTC
Read the original article Hit count: 316

I'd like to enforce a requirement that client script inside a page (which in turn is loaded inside an iframe of another page) will only run when the parent page is on the same top-level domain as the framed page (although it may be on another hostname in that domain). Is this do-able?

I assume that the easy solution of looking at top.location.host won't be available due to cross-site scripting limitations, but I'm wondering if other javascript hackery could suffice.

Constraints on any potential solution inculde:

I need to be able to run XmlHttpRequest calls inside the child page, and I need to validate that the hostname is in the same domain before I make those calls. (this makes a document.domain solution challenging because AFAIK setting document.domain disables the ability to make XmlHttpRequest calls.

I can control client-side script and HTML on both parent or child (and I can create new pages if needed), but I can't make any server-side code changes.

I can't simulate the above via server-side calls or proxies, because the child page's hostname uses a forms auth system with hostname-scoped cookies that I can't get access to from the parent page since it's on a different hostname.

I don't have enough control over the child-frame site to be able to put both sites behind the same reverse-proxy or load-balancer (which would enable me to put both sites on the same hostname).

I don't actually need to access any UI inside the IFrame-- the iframe is invisible and I'm only using it to run javascript within the security context of a site on a different hostname from the parent page.

So at this point I'm stumped. Got any ideas? I want to make sure I'm not overlooking an easy solution before giving up.

© Stack Overflow or respective owner

Related posts about cross-site-scripting

Related posts about iframe