Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
The best I can come up with is to have each iframe open a WebSocket to a server which can coordinate, but I don’t see how to guard again an attacker posing as a sibling iframe and receiving secure data.
5
5
Sounds like you found a better solution, but I believe you can enable CORS / enforce origin on WebSockets?
1
Replying to
Hm, I don’t think that’s good enough: I could build a hostile client which spoofed the origin.