while i know that xss rules should apply to iframed content if the domain, protocol etc do not match, i was wondering if there is any way to further ensure that iframed content cannot access the parent via javascript.
for example, even if the domain port and protcol DO match.
the basic idea is as such:
1) domain.com contains multiple iframes containing 3rd party advertisements
2) the iframes that contain the banner code are hosted on ads.domain.com
3) in most cases, the 3rd party advertisements are loaded via something like, inside the frames that are hosted on ads.domain.com:
<script type="text/javascript" src="http://www.3rd-party-ad-provider.....
is there any further steps we can take to end up with a scenario as follows:
3rd party < HAS ACCESS > ads.domain.com < NO ACCESS > domain.com (parent holding the ad iframes)
even steps that are only compatible on recent browsers are welcome. anything to improve this. we are seeing quite a bit of js errors leaking thru and i am assuming that at least some of it is caused by faulty ad code mangling the parent (top-est) document body.
merci!
Nothing that works cross-browser or without side effects.
The same origin policy does that.
If JS errors in a frame, then it still errors. It shouldn’t touch the top level frame, but browsers will report the errors.
Since you are dealing with third party content, you can’t
catchthe errors.You could simply take a hard line with the advertisers and reject adverts that don’t pass quality control. You’ll have to weigh the cost of turning adverts down with the benefits of the improved experience for visitors.