How Secure is This? #996
Comments
This was referenced Oct 11, 2021
|
Thanks, all the messages are sent as strings, rather than JS objects. This is due to this being first written in the days of IE6. So their is no option to pass code. in addition to this by default iFrameResizer only accepts messages from the domain in the the iFrame tag. This is do using the security options built into the PostMessage API. I first wrote this eight years ago and I have never had a security incident raised. It is used by at lease one financial institution who made a small suggestion on hardening the API and this was implemented. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Before I begin; congratulations! I have spent many hours on this problem yet I was not able to solve it. This library worked like a charm.
My concern is since guests are sending messages to hosts, if a guest is untrusted, and the host does not sanitize inputs from the guest, the guest can execute malicious programs inside the host environment. Is this addressed already?
The text was updated successfully, but these errors were encountered: