Comments on: Intra-iframe Message Passing http://ajaxian.com/archives/intra-iframe-message-passing Cleaning up the web with Ajax Thu, 17 May 2012 07:43:39 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Julien Couvreur http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-114676 Julien Couvreur Wed, 04 Oct 2006 01:39:40 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-114676 Optimus Paul, Privacy reasons would prevent you from implementing the Windows Live Contact Gadget by doing the mashup on the server. Another reason for doing client-side cross-domain communication is to avoid un-necessary proxying traffic to your server. Agreed there are times where this traffic is necessary, but in many occasions it is not. Optimus Paul,
Privacy reasons would prevent you from implementing the Windows Live Contact Gadget by doing the mashup on the server.
Another reason for doing client-side cross-domain communication is to avoid un-necessary proxying traffic to your server. Agreed there are times where this traffic is necessary, but in many occasions it is not.

]]> By: optimus paul http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-107322 optimus paul Wed, 27 Sep 2006 22:00:23 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-107322 I've always found it easier and perhaps better do do my mash-ups on the server, then there are no xss concerns. I've never really understood the fascination with attempting to do xss in ajax. I do think this is good news, now we can get the problem fixed. I’ve always found it easier and perhaps better do do my mash-ups on the server, then there are no xss concerns. I’ve never really understood the fascination with attempting to do xss in ajax.

I do think this is good news, now we can get the problem fixed.

]]> By: henrah http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-103319 henrah Sun, 24 Sep 2006 02:51:13 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-103319 @Fnustle: > given the hypervigilant attitude MS has had towards security… Since the Windows Live team is actually exporing this technique, it's reasonable to assume that Microsoft are treating this as a security solution rather than a flaw. @Fnustle:
> given the hypervigilant attitude MS has had towards security…

Since the Windows Live team is actually exporing this technique, it’s reasonable to assume that Microsoft are treating this as a security solution rather than a flaw.

]]> By: Joseph Smarr http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-102306 Joseph Smarr Sat, 23 Sep 2006 04:04:01 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-102306 For those interested in more info and more options for cross-site scripting technicques and their challenges, you might enjoy the talk I gave this year at OSCON on the subject (including the infamous "JavaScript Wormhole"). Slides:http://www.plaxo.com/css/api/Joseph-Smarr-Plaxo-OSCON-2006.ppt Summary: http://www.sitepoint.com/blogs/2006/07/28/oscon-2006-cross-site-ajax/ For those interested in more info and more options for cross-site scripting technicques and their challenges, you might enjoy the talk I gave this year at OSCON on the subject (including the infamous “JavaScript Wormhole”).

Slides:http://www.plaxo.com/css/api/Joseph-Smarr-Plaxo-OSCON-2006.ppt

Summary: http://www.sitepoint.com/blogs/2006/07/28/oscon-2006-cross-site-ajax/

]]> By: srabbit23 http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-102217 srabbit23 Sat, 23 Sep 2006 00:12:00 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-102217 <strong>Intra-iframe Message Passing</strong> nice Intra-iframe Message Passing

nice

]]> By: Ahmed Kamel http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-102206 Ahmed Kamel Fri, 22 Sep 2006 23:47:28 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-102206 I agree that this doesn't seem to be a security hole; because it requires both frames (parent and iframe) to work together, and hence neither A or B can exploit each other. However, this can become an exploit, if E (for evil) comes along and decides to spoof B's dynamic iframe creation; passing bad information to A. Somehow a security mechanism (identification) must be established between A and B. I agree that this doesn’t seem to be a security hole; because it requires both frames (parent and iframe) to work together, and hence neither A or B can exploit each other.

However, this can become an exploit, if E (for evil) comes along and decides to spoof B’s dynamic iframe creation; passing bad information to A.

Somehow a security mechanism (identification) must be established between A and B.

]]> By: Julien Couvreur http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-102065 Julien Couvreur Fri, 22 Sep 2006 20:50:12 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-102065 Fnustle, I don't think that this can be "fixed". There is no hole per-se. Which part would you want to fix? The ability to create iframes that load any url? The ability to enumerate all iframes in a document? Fnustle, I don’t think that this can be “fixed”. There is no hole per-se. Which part would you want to fix? The ability to create iframes that load any url? The ability to enumerate all iframes in a document?

]]> By: Fnustle http://ajaxian.com/archives/intra-iframe-message-passing/comment-page-1#comment-101996 Fnustle Fri, 22 Sep 2006 18:55:31 +0000 http://ajaxian.com/archives/intra-iframe-message-passing#comment-101996 Neat, but I wouldn't rely on a security hole staying around even if it is one that would be highly improbable to exploit, given the hypervigilant attitude MS has had towards security... Neat, but I wouldn’t rely on a security hole staying around even if it is one that would be highly improbable to exploit, given the hypervigilant attitude MS has had towards security…

]]>