restrict script inside iframe to run only within pages of same top-level domain?
- by Justin Grant
I'd like to enforce a requirement that client script inside a page (which in turn is loaded inside an iframe of another page) will only run when the parent page is on the same top-level domain as the framed page (although it may be on another hostname in that domain). Is this do-able?
I assume that the easy solution of looking at top.location.host won't be available due to cross-site scripting limitations, but I'm wondering if other javascript hackery could suffice.
Constraints on any potential solution inculde:
I need to be able to run XmlHttpRequest calls inside the child page, and I need to validate that the hostname is in the same domain before I make those calls. (this makes a document.domain solution challenging because AFAIK setting document.domain disables the ability to make XmlHttpRequest calls.
I can control client-side script and HTML on both parent or child (and I can create new pages if needed), but I can't make any server-side code changes.
I can't simulate the above via server-side calls or proxies, because the child page's hostname uses a forms auth system with hostname-scoped cookies that I can't get access to from the parent page since it's on a different hostname.
I don't have enough control over the child-frame site to be able to put both sites behind the same reverse-proxy or load-balancer (which would enable me to put both sites on the same hostname).
I don't actually need to access any UI inside the IFrame-- the iframe is invisible and I'm only using it to run javascript within the security context of a site on a different hostname from the parent page.
So at this point I'm stumped. Got any ideas? I want to make sure I'm not overlooking an easy solution before giving up.
