Iframes and Same-Origin-Policy and reverse proxy h

2019-08-10 19:43发布

I have been reading up on Iframes with different domains then the parent document and I am slightly confused.

I understand that if the Iframe is from the same domain as its parent document, the parent document can access the iframe's document. It seems like I could circumvent this with the following hack:

  1. I set up a web server at mydomain.com
  2. I serve the original page from mydomain.com/index.html
  3. I setup a proxy on my webserver for mydomain.com/othersite -> site2.com
  4. Add <iframe src="mydomain.com/othersite"> to the mydomain.com/index page

This seems like it would circumvent the same origin policy and the user would be none the wiser. Is there something I am missing?

1条回答
Root(大扎)
2楼-- · 2019-08-10 20:37

Yes, there is something you are missing.

The Same Origin Policy secures the client-side of website access.

If you setup mydomain.com/othersite to be proxied to site2.com then the browser would not be sending the user's cookies for site2.com to your site at mydomain.com. All you would get is the cookies your site had set on mydomain.com for that user. That is, all you would be attacking was your mydomain.com session with site2.com, not the user's session with site2.com (as your reverse proxy effectively makes mydomain.com the client of this connection).

If there was a way to circumvent the Same Origin Policy this would have to be something client-side in order to have the browser send cookies to your domain.

I realise I've concentrated on cookies here, however cookies are an easy to grasp concept of an example of client objects that the Same Origin Policy protects. Your appoach would allow you to manipulate the DOM of site2.com but it would not be in the context of your visitor's access to site2.com, it would be in the context of your own access to site2.com - nothing that the visitor accesses could be changed unless they trusted your site enough to log into the proxied version site2.com directly.

查看更多
登录 后发表回答