Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
The best I can come up with is to have each iframe open a WebSocket to a server which can coordinate, but I don’t see how to guard again an attacker posing as a sibling iframe and receiving secure data.
5
5
You can use webrtc p2p, check peerjs.com - the sever doesn’t relay anything, you can define a secret by using a common property in the iFrame to help the peers.
2
1
1
Replying to
Nice approach! Alas, defining a secret via a common property is very not ideal—it would be like asking YouTube users to add a custom parameter every time they embed, rather than just copying-and-pasting—but it’s better than nothing!