Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
Nope, alas: can’t access window.parent.frames cross-origin.
1
(to my surprise, Firefox allows this! but Chrome and Safari sensibly don’t)
2
Okay, I've seen one more weird trick, but it involves more coordination: triply embedded iframes
- origin 1
- origin 2
- origin 1
These sometimes offer possibilities for communicating, but you need help from origin 1
2
Replying to
Won’t be able to ask for help from the parent origin, alas.
Replying to
And I suppose there's no way you can take over the top level document, like
<document from andy> no content or border
<iframe from other site that THINKS it's the document>
<iframe from andy>
1
Nope, I'm sandboxed from that origin. But Kevin has a working solution:
Quote Tweet
Replying to @andy_matuschak
Would BroadcastChannel work?