Home/ Questions/Q 7647573
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T10:29:48+00:00

I have a window containing an iframe (same origin), so scripts from this iframe

  • 0

I have a window containing an iframe (same origin), so scripts from this iframe can access the top window’s attributes by simply referencing top.foo. I want to grant access to some of these attributes, and hide others via blacklist.

This is what I have so far:

(function(){
    var private = PrivateObject;
    Object.defineProperty(window, 'PrivateObject', {
        get: function getter() {
            if (!(getter.caller instanceof Function)) {
                throw 'You can\'t access PrivateObject from the iframe';
            }
            return private;
        },
        set: function setter(x) {
            if (!(setter.caller instanceof Function)) {
                throw 'You can\'t access PrivateObject from the iframe';
            }
            private = x;
        },
    });
})();

The basic idea behind this is that f.caller instanceof Function should detect calls from foreign window objects, since window1.Function !== window2.Function.

But this does not work if the accessors are called from top-level code, where f.caller === null. Any solutions?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For now, I’ve decided to go with the following approach, since I don’t think it’s possible to detect top-level calls:

    /**
* Hide objects from access from other window objects. For example, this may be used to prevent access to
* top.Ext from scipts inside iframes.
* <strong>Warning:</strong> This does not work reliably, since calls from top-level code cannot be detected.
* You may either <strong>allow all</strong> top-level access (from top and other windows), or <strong>disallow all</strong> top-level access.
* Also remember that objects may have indirect references.
* @param {Object} object The object whose properties shall be hidden
* @param {Array|String} properties A comma-separated list or an array of property names
* @param {Boolean} allowTopLevel <tt>true</tt> to allow access from top-level code. Defaults to <tt>false</tt>
*/
hideObjectsFromFrames = function (object, properties, allowTopLevel) {
    if (typeof properties == 'string') {
        properties = properties.split(/ *, */);
    }
    Ext.each(properties, function (property) {
        var orig = object[property];
        if (allowTopLevel) { // checking outside the accessors improves performance
            Object.defineProperty(object, property, {
                get: function g() {
                    if (g.caller && !(g.caller instanceof Function)) {
                        throw 'Security error. Attempt to access ' + property + ' from foreign window';
                    }
                    return orig;
                },
                set: function s(x) {
                    if (s.caller && !(s.caller instanceof Function)) {
                        throw 'Security error. Attempt to overwrite ' + property + ' from foreign window';
                    }
                    orig = x;
                }
            });
        } else {
            Object.defineProperty(object, property, {
                get: function g() {
                    if (!(g.caller instanceof Function)) {
                        throw 'Security error. Attempt to access ' + property + ' from foreign window';
                    }
                    return orig;
                },
                set: function s(x) {
                    if (!(s.caller instanceof Function)) {
                        throw 'Security error. Attempt to overwrite ' + property + ' from foreign window';
                    }
                    orig = x;
                }
            });
        }
    });
};

    If anyone comes up with a better solution, please let me know!

    • 0