

Ask YC: Working around Cross-site scripting Restriction - title84

We have a browser and another iframe that loads within it.  We want to capture information within the iframe but are unable to do so because of cross-site scripting.<p>How do we workaround these issues to capture data from the iframe such as URLs and images?
======
nostrademons
Wow, could you imagine the security implications if this was possible? Put up
an invisible IFRAME that links to a major credit card's account page, scrape
the account number, and hope that lots of people are logged in. Or set the
IFRAME to GMail, scrape the e-mail links, and read each one to look for
passwords and confidential info.

Assume it's not possible, because if it is, the web has a massive security
problem.

(If you control both ends of the IFRAME, it _is_ possible to pass small
amounts of data back, but I think the exact technique used falls under the
confidential information of one of the startups I've worked with.)

------
title84
Nostrademons, when you mention "control both ends of the IFRAME" are you
referring to controlling the severs on both ends of the iframe?

~~~
nostrademons
Yeah. If the page source for both the parent frame and the iframe is generated
by (or can be changed by) you, it's possible to pass small amounts of
information between them (even without using cookies or server-side
communication). But I can't go into details about how, because it's company-
confidential to one of the places I've worked.

~~~
title84
got it. so you do not see any way possible of doing this without controlling
both sources of the iframe? understand the security implications, but there's
got to be some site that does this for other purposes or some way to work
around...

~~~
nostrademons
If there is, I'd expect it to be fixed as soon as someone does it, which'd
break your architecture. It really is a potentially gaping security hole, and
it's not wise to depend on security holes for your application's core
functionality.

------
noodle
do you have to use javascript and an iframe for this? splash in something like
php and you can scrape the information you require.

------
johns
You're describing a broken solution to a problem instead of the problem
itself.

~~~
title84
please expand... what's the problem itself?

