A little further detail:
- I’m running a site where users can submit Javascript freely
- Other people will preview this Javascript ‘live’
- There will be basic measures in place to stop naughties like
eval(), but inevitably some may unfortunately slip through - The site is mysite.com, I gather running the scripts from myotherdomain.com will prevent cookie hijacking, however will running them from js.mysite.com prevent it too? (read: cheapskate, save money on an extra domain)
- Finally, will running it in an
<iframe>from mysite.com to either a separate domain or a subdomain still work as effectively as loading an entirely new site?
The Same Origin Policy(SOP) apply for subdomains, ports, protocols and domain.
If there is a difference in one of these properties the SOP will prevent the access.
As long as you do not use document.domain on your main page, the subdomain will get the SOP protection. If you use
document.domainin the main page a script could do the same in theiframeand by-pass the SOP.Now if you want to enable some safe communication between iframes, you can use
window.postMessageif you target modern browsers and mobiles.And for older browsers there are some tricks to do, like the window.name trick
This does not prevent Cross Site Scripting(making a POST to your domain with your current valid cookies from the iframe). You need to use a secret token that only the javascript in your main page knows and that will be sent for each request.