shnoulle / iframe-widget-test Goto Github PK
View Code? Open in Web Editor NEWThis project forked from agibralter/iframe-widget-test
This project forked from agibralter/iframe-widget-test
This is a proof-of-concept for using the post-to-iframe method of setting cookies for x-domain iframe requests. Facebook uses this method for iframe canvas page apps. See the images in screenshots/ to see how this works in browesrs. Basically what happens is we request a page on the iframe-widget-test-base domain which generates a random token. Then with JS on page load, we submit a form that has the iframe as the target. The form action url is, of course, a separate domain: iframe-widget-test-frame. In that request to the frame we set a cookie in the response to the randomly generated token. We then use JS in that frame to show that the cookie is indeed set for the frame's domain. As a control, we load another iframe (on the right in the pictures) with a normal GET request (iframe's src attribtue) on the same domain as the base page (iframe-widget-test-base) to show that no cookie gets set for the base page. Finally, to show that the x-domain iframe is indeed isolated, we try to use JS in the base page to access the title of the frame. In the x-domain iframe, we cannot access the title (browser security enforces that JS cannot communicate between frames with different domains). In the same-domain iframe, we can access the title. To run this yourself... This test requires entries in /etc/hosts; e.g.: 127.0.0.1 iframe-widget-test-base.urtak.com 127.0.0.1 iframe-widget-test-1.urtak.is 127.0.0.1 iframe-widget-test-2.urtak.is 127.0.0.1 iframe-widget-test-3.urtak.is 127.0.0.1 iframe-widget-test-4.urtak.is Run with shotgun: `bundle exec shotgun`. **Also, somehow, you'll need to forward requests to port 80 to 9393 (for use with shotgun).** Navigate to http://iframe-widget-test-base.urtak.is/ in your browser. Currently the post-to-iframe technique works in: - FF3+ - IE6+ - Chrome (every version I've tried...) - Opera (9+ I think...) - Safari (before v6) - mobile Safari (before iOS v6) Safari 6+ and mobile Safari in iOS 6+ threw a wrench in the whole technique though. It looks like localStorage works in cross-domain iframes, though, so that may provide a work around for the future (requires application rearchitecting). Chrome with "block third party cookies and site data" does not even allow localStorage.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.