javascript - iFrame Security Risks from Embedding by Hacker -


within app (http://www.example.com) running iframe (https://www.example.com/iframe-application).

the main page (www.example.com) renders custom data based on cookies set iframe. iframe has smarts, javascript, secure cookies, etc. iframe has no text, images, etc. javascript code.

is there risk embed iframe in site , access secure cookies, login tokens, etc?

by default cookies bound domain name, in normal case should not possible.

if got xss vuln. on site, access cookies, rather sure escape inputstrings.


Comments

Popular posts from this blog

css - Which browser returns the correct result for getBoundingClientRect of an SVG element? -

gcc - Calling fftR4() in c from assembly -

.htaccess - Matching full URL in RewriteCond -