2

Using Iframe we can embed webpages of another domain provided the X-Frame-Options isn't set to SAMEORIGIN. This also loads the cookie inside the iframe.
Now, one can access this cookie if it's in the iframe box using document.cookie. I wanted to ask if it's possible to send this cookie by mailing this to oneself (by writing a script inside the iframe tag).

My Opinion:
This is possible if we can write the script tag inside the iframe tag in the web-page. But it doesn't seem to work in my case.

We can also insert a script dynamically inside the iframe. I wanted to know if it's possible or not.

I think it might not work since the iframe loaded might overwrite all the content inside the iframe tag and the script tag might not work.
If this is the case then why there is a iframe closing tag at all. Can't it be only: iframe src="https://abc.def.com" tag to define iframes?

aka_007
  • 79
  • 1
  • 3
  • 8
  • Have you looked at Window.postMessage() in HTML5? – Simply G. Nov 13 '17 at 12:13
  • The question is answered below by Steffen Ullrich. Have a look at it @Simply G. – aka_007 Nov 14 '17 at 17:40
  • I agree with the principle and his answer, but there are several technologies to 'safely enables cross-origin communication'. Both old and new. You can share information from the cookie between iframe and hosting page using scripting. I must add that I am not saying it is a good thing to do so. – Simply G. Nov 21 '17 at 13:43

1 Answers1

5

Same Origin Policy ensures that you cannot read or modify the content of a page with different origin. In case of the iframe this means that the parent frame can fully replace the iframe (and thus changing the origin) but it cannot read or modify the contents of the iframe has a different origin.

Thus reading a cookie cross-origin from an iframe will only work if the content of the iframe explicitly communicates with the parent frame (like with postMessage) to share the cookie value. Usually this is not the case with unrelated origins but if you find a XSS attack at the iframes origin then you might be able to trick the iframe into sending this cookie to the parent frame.

Note that X-Frame-Options is unrelated to the same origin policy. It is only used to define if a site can be put into an iframe or not. This is important to defend against Clickjacking or other UI-Redressing attacks.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Does that mean that we cannot modify the content of the iframe or play around with it's elements from the main-page's DOM ? – aka_007 Feb 09 '16 at 08:56
  • @aka_007: you cannot read or modify content cross-origin. This includes iframes. – Steffen Ullrich Feb 09 '16 at 09:04
  • Makes sense since Cross Domain access is prevented in browsers. I will wait for some other answers before marking it accepted. Thanks. – aka_007 Feb 09 '16 at 09:29
  • @SteffenUllrich your wikipedia link points to german version. You might want to change it to english one just in case. – Silverfox Feb 09 '16 at 09:29