Skip to content Skip to sidebar Skip to footer
Home / Cross Domain / Iframe / Javascript / Security / Window.location

What Exactly Can An Iframe Do With The Top.location Object (cross-domain)?

Post a Comment
There is a very particular edge case in cross-domain policies regarding the window.top.Location object... Let's say I have IFrame A , in domain www.bbb.com, living inside a page in

Solution 1:

This is exactly specified by the HTML5 standard in section 5.5.3.1.

Solution 2:

The security rules does differ with the version of browser. Generally newer versions have stricter rules, but also more fine tuned.

I suspect that older browsers would freely let you access the location object of the top frame, a little newer browsers would deny it totally, and the current versions let you compare location objects but not read from them.

You might be able find documentation about this, but it would be specific for each browser and specific for each version of the browser. As far as I know, there is no real standard for this. Each browser vendor tries to protect the user as much as possible, while still keeping some usability for the web site builder. Generally you can't really assume that anything close to the border works in all browsers, or that it will continue to work in future versions.

Post a Comment for "What Exactly Can An Iframe Do With The Top.location Object (cross-domain)?"