Nerd-puzzle: how might I allow sibling same-origin iframes to communicate, given…
- parent is cross-origin
- can’t execute JS on parent
- no sessionStorage, localStorage, cookies, or IDB access
- with enough security to share auth tokens?
Conversation
`parent.frames[otherName]`, maybe surprisingly, works, and there is no protection against it short of not granting `allow-same-origin` in `sandbox` which has pretty egregious side effects.
1
1
1
Replying to
Quote Tweet
Replying to @domenic and @NeilKNet
No dice! I’m awfully surprised this is meant to be allowed. Why should it be?
Replying to
You might be accessing the wrong frame. I'm not sure frames (which is an alias to window, but it reads better) is enumerable with numeric indexes across origins. Named access parent.frames.otherFrameName definitely works.
1
1
1
Ah, I see! Unfortunately, arranging for the iframes to be named will be challenging, but this is helpful to know.