Security in embedded iframejavascript widget - Stack Overflow

admin管理员组

文章数量:1289556

I'm building a website that is functionally similar to Google Analytics. I'm not doing analytics, but I am trying to provide either a single line of javascript or a single line iframe that will add functionality to other websites.

Specifically, the embedded content will be a button that will popup a new window and allow the user to perform some actions. Eventually the user will finish and the window will close, at which point the button will update to a new element reflecting that the user pleted the flow.

The popup window will load content from my site, but my question pertains to the embedded line of javascript (or the iframe). What's the best practice way of doing this? Google analytics and optimizely use javascript to modify the host page. Obviously an iFrame would work too.

The security concern I have is that someone will copy the embed code from one site and put it on another. Each page/site bination that implements my script/iframe is going to have a unique ID that the site's developers will generate from an authenticated account on my site. I then supply them with the appropriate embed code.

My first thought was to just use an iframe that loads a page off my site with url parameters specific to the page/site bo. If I go that route, is there a way to determine that the page is only loaded from an iframe embedded on a particular domain or url prefix? Could something similar be acplished with javascript?

I read this post which was very helpful, but my use case is a bit different since I'm actually going to pop up content for users to interact with. The concern is that an enemy of the site hosting my embed will deceptively lure their own users to use the widget. These users will believe they are interacting with my site on behalf of the enemy site but actually be interacting on behalf of the friendly site.

I'm building a website that is functionally similar to Google Analytics. I'm not doing analytics, but I am trying to provide either a single line of javascript or a single line iframe that will add functionality to other websites.

Specifically, the embedded content will be a button that will popup a new window and allow the user to perform some actions. Eventually the user will finish and the window will close, at which point the button will update to a new element reflecting that the user pleted the flow.

The popup window will load content from my site, but my question pertains to the embedded line of javascript (or the iframe). What's the best practice way of doing this? Google analytics and optimizely use javascript to modify the host page. Obviously an iFrame would work too.

The security concern I have is that someone will copy the embed code from one site and put it on another. Each page/site bination that implements my script/iframe is going to have a unique ID that the site's developers will generate from an authenticated account on my site. I then supply them with the appropriate embed code.

My first thought was to just use an iframe that loads a page off my site with url parameters specific to the page/site bo. If I go that route, is there a way to determine that the page is only loaded from an iframe embedded on a particular domain or url prefix? Could something similar be acplished with javascript?

I read this post which was very helpful, but my use case is a bit different since I'm actually going to pop up content for users to interact with. The concern is that an enemy of the site hosting my embed will deceptively lure their own users to use the widget. These users will believe they are interacting with my site on behalf of the enemy site but actually be interacting on behalf of the friendly site.

• javascript
• security
• iframe
• xss
• cross-site

Share Improve this question Follow edited May 23, 2017 at 11:52 CommunityBot 111 silver badge asked Aug 20, 2013 at 1:40 Peter KinnairdPeter Kinnaird 9522 silver badges66 bronze badges

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 11

If you want to keep it as a simple, client-side only widget, the simple answer is you can't do it exactly like you describe.

The two solutions that e to mind for this are as follows, the first being a promise but simple and the second being a bit more involved (for both you and users of your widget).

Referer Check

You could validate the referer HTTP header to check that the domain matches the one expected for the particular Site ID, but keep in mind that not all browsers will send this (and most will not if the referring page is HTTPS) and that some browser privacy plugins can be configured to withhold it, in which case your widget would not work or you would need an extra, clunky, step in the user experience.

1. Website www.foo. embeds your widget using say an embedded script <script src="//example./widget.js?siteId=1234&pageId=456"></script>
2. Your widget uses server side code to generate the .js file dynamically (e.g. the request for the .js file could follow a rewrite rule on your server to map to a PHP / ASPX).
3. The server side code checks the referer HTTP header to see if it matches the expected value in your database.
4. On match the widget runs as normal.
5. On mismatch, or if the referer is blank/missing, the widget will still run, but there will be an extra step that asks the user to confirm that they have accessed the widget from www.foo.
6. In order for the confirmation to be safe from clickjacking, you must open the confirmation step in a popup window.

Server Check

Could be a bit over engineered for your purposes and runs the risk of being too plicated for clients who wish to embed your widget - you decide.

1. Website www.foo. wants to embed your widget for the current page request it is receiving from a user.
2. The www.foo. server makes an API request (passing a secret key) to an API you host, requesting a one time key for Page ID 456.
3. Your API validates the secret key, generates a secure one time key and passes back a value whilst recording the request in the database.
4. www.foo. embeds the script as follows <script src="//example./widget.js?siteId=1234&oneTimeKey=231231232132197"></script>
5. Your widget uses server side code to generate the js file dynamically (e.g. the .js could follow a rewrite rule on your server to map to a PHP / ASPX).
6. The server side code checks the oneTimeKey and siteId bination to check it is valid, and if so generates the widget code and deletes the database record.
7. If the user reloads the page the above steps would be repeated and a new one time key would be generated. This would guard against evil. from page scraping the embed code and parameters.

The response here is very thorough and provides lots of great information and ideas. I solved this problem by validating X-Frame-Options headers on the server-side , though the support for those is inplete in browsers and possibly spoofable.

本文标签： Security in embedded iframejavascript widgetStack Overflow