As some people may know, JSONP is a convenient method of circumventing the same origin po-licy when we really have to interact with another (remote) site. However it can also bite ourselves in the foot because a malicious page on that remote site can execute arbitrary javascript code. See also JSONP on Wiki My idea is to prevent this from happening by the following method: - Instead on the page itself I would include the script tag in an Iframe embedded in a IFrame. So the page would be structured like: [page p [iframe a [iframe b]]] . p would be accessible from b by: b.parent.parent. Credentials are only defined in p. - in iframe b save p in a closure "callme". This closure should be the only valid JSONP call. callme can do all necessary parameter checks - now somehow remove iframe a from the chain, making b.parent.parent invalid. I noticed modifying window.parent doesn't work in IE, so it should be removed from p's document tree for example. - Now a malicious page can only call "callme" with the needed credentials. My questions: - Should this work? Ok, it's easy enough to test but: - Is there a simpler method to achieve the same effect? - And most importantly: do I overlook something else (another security issue), causing this all moot?
If I understand your proposal, you're saying to delete the parent, but leave the child to do the work, eliminating the link from the child back to the (deleted) parent's parent. Removing A removes all its children, including B. Copying B, removing A, then creating B as a child of P would work, but it defeats the proposal.
Yeah I figured that (note the word "somehow" ). I was hoping removing A from the document tree but keeping a reference (in a js object) would work for example. Plan B would be opening a new window from A, then deleting A, making the opener invalid in this case. A bit less practical as a solution though ...
And leaving B vulnerable to the same problems A was. I don't worry about problems like this until after the site's been hit. There's not enough time in a commercial environment to spend 40 hours a week on security, unless you're on the security team (which is also the round file in this place). But with hourly backups, I can go back to a working site in less than a minute and spend time plugging holes after someone finds them. (It's bad enough I have to go over the error log every day - unless I find something, they consider it a wasted 5 minutes. You know - the "just look at the log when there's something to find 'mentality'".)
I'm sorry, I should have been more descriptive. Plan B involves: - Instead on the page itself I would include the script tag in an window opened by a IFrame. So the page would be structured like: [page p [iframe a]] . a opens a window b. p would be accessible from b by: b.opener.parent. Credentials are only defined in p. - in window b save p in a closure "callme". This closure should be the only valid JSONP call. callme can do all necessary parameter checks - now remove iframe a from p's document tree, making b.opener.parent invalid. This time I expect window b not to be destroyed along with iframe a. - Now a malicious page can only call "callme" with the needed credentials. This solution is less practical because it bothers the user with an extra popup. My situation is somewhat different. This is about an intranet web application to be deployed by a costumer where security is an important item. Sometimes they have strict firewall po-licies preventing a backend solution (which I do prefer). This would give us a little more options.