Learn More
Resend Email
1
azuredivay
355d

Say a JS 'widget' is embedded inside a domain abc.com
the widget's content is retrieved from xyz.com (API?), the API also returns a custom URL (think of it as a tracker) that the JS adds to the DOM of abc.com, inside an iFrame.
Essentially making this iFrame hosting xyz.com content/page while existing in abc.com domain
Now this iFrame's page makes its own requests to 3rd party sites, would that mean the 3rd party would see the request originating from xyz.com (iFrame page) or abc.com (the site hosting the iFrame)?

question

js

iframe

web
Favorite
Ranter
Comments
  • 0
    355d
    .
  • 1
    355d
    @retoor ~_~ id have to manually do it n figure it out eh, y'all no help -..-
  • 2
    355d
    @azuredivay you posted it just a hour ago. Have some faith
  • 2
    355d
    haven't touched iFrame in yrs, so can't tell for sure, but if I get it correctly the requests originate from the server where is hosted. if ur assumption is right and when in iFrame the origin is changed what happens if two sites embed that iFrame?
  • 2
    355d
    Iframes create some entirely new context in the page, totally separated from that of the parent. Requests originating from an iframe have the "Origin" and "Referer" headers based on their own address, not that of the main container hosting it.
  • 2
    355d
    TLDR: abc.com loads an iframe from xyz.com; every request originating from the iframe will be shown as coming from xyz.com.
  • 1
    355d
    @IHateForALiving this is the birth of a potentially very fun side project 😎
  • 2
    355d
    If the iframe is created with the url, thrn the iframe is isolated from the parent so neither should be able to access each other.

    Not entirely sure if the content of the iframe could see the url of the parent though, been years since I had a case where I needed to care about that.
  • 1
    355d
    @Voxera content of the frame cant see the parent nor vice versa, the browser APIs exist but they throw errors now "security issue", at least until 1 year ago when I last had to work with it

    But thats within expectations, all I wanted was the origin request to be the iframe url :3
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment