Collaborate Disseminate
I run a site that displays user-generated SVGs. They are untrusted, so they need to be sandboxed.
I currently embed these SVGs using <object> elements. (Unlike <img>, this allows loading external fonts. And unlike using an <… Continue reading What sandbox does an <object> element run in? Can this sandbox be configured?
For a social networking site example.com, users all have their own domains. How can you keep someone seamlessly authenticated across all domains?
For the main site, example.com, I am currently using:
<?php
session_start();
//han… Continue reading What’s the best way to handle authentication across multiple different domains under the same service?
If your internet traffic had an eavesdropper and you access a website using HTTPS from my understanding they would know the domain name (hostname) that you visit (as well as some other things), but if after logging into that first site (wh… Continue reading Would a hostname from an HTTPS iframe leak if loaded after a successful connection with another HTTPS hostname which displayed the iframe
A restaurant owner I work with has its restaurant menu database in FoodPanda, an online delivery service.
If I am not mistaken, currently, FoodPanda’s API doesn’t support the content management system with which the restaurant’s website is… Continue reading Preventing people from embedding a webpage by iframe [migrated]
Why… Just Why…
Due to Shopify being unwilling to modify security headers further then removing them, the Cloudflare "Orange-to-Orange" problem (since Shopify uses Cloudflare as well), and my unwillingness to write a whole fro… Continue reading Selective frame busting without HTTP headers
I recently started working on adding custom code to HubSpot forms after their form is loaded via an iFrame. Initially, I was using the following code to access the iFrame to change it:
var form = window.docuemnt.querySelector("[data-r… Continue reading abiliity to change elements in HubSpot iFrame forms
I’m building a website where users, among other things, can add embeds (YouTube, Google Forms, Airtable…) and show those embeds to other people. Embeds are snippets of HTML that can include <script> and <iframe>-tags.
It is i… Continue reading How do I safely host third-party Javascript code in an iframe?
Is it possible to prevent tabnabbing attacks in a sandboxed iframe with allow-popups?
Continue reading Can tabnabbing be prevented with "allow-popups"?
Let’s take some examples:
Pay Pal, Apple Pay (examples via Saferpay) – will not load in an iFrame
Visa Checkout, Stripe (example), Saferpay (link above) – credit card data can be input in an iFrame
Is there any technical/security reason … Continue reading Why some payment methods allow being embedded in an iframe and some don’t?
I am trying to implement a case where a user provides us some html code which is then stored in our database. We then retrieve the HTML from our database as a string. (We have no control over the user input)
I try to embed this html using
… Continue reading srcdoc attribute of iframes as a source of XSS attacks