不要让父网站从我的iFrame获取信息
I have to make an iFrame that will manage user's sensible information. I need the parent page not to be able to get information from it. What can you recommend me to achieve this goal?. I already saw how to obfuscate my javascript code, but its not enough I need to be impossible to have access from the website to some iFrame's values that are inside some fields that the user will fill up.
For example I try making my own frame and web to test the security and if I put this on the web: iFrameName.document.getElementById("idTextField").value; I get the text that the client filled, thats what I want to prevent, to be impossible (or very difficult) for the web to get the data of the fields I have in my iFrame.
Thank you all.
By the way Im using HTML, JS and PHP
我必须制作一个能够管理用户敏感信息的iFrame。 我需要父页面无法从中获取信息。 你有什么建议我实现这个目标的? 我已经看到了如何混淆我的javascript代码,但它还不够我无法从网站访问某些iFrame的值,这些值位于用户将填充的某些字段中。 p>
谢谢大家。 p> \ n
顺便说一下,我使用HTML,JS和PHP p> div>
http://javascript.info/tutorial/same-origin-security-policy
Because of Same Origin policy in Javascript, from javascript is impossible to have access to an iFrame if both (parent and iFrame) are located in different domains.
"So, iframe.contentWindow.document will be the inner document. You can access it or modify from parent window if both iframe and the parent come from one domain/host/port (security limitations are discussed more in detail in the next sections)." Text From: http://javascript.info/tutorial/frames-and-iframes
All modern browsers prevent a site from getting iframe content that doesn't belong to it. This is a security feature to prevent hacking.
For example, if you log into your bank's website and then go to another site that includes your bank in an iframe, then you may see the bank page in an iframe, but the third party site will still not be able to read it.
Furthermore, your bank will probably not even appear in the frame to begin with because many sites (including StackOverflow) prevent iframes from displaying them.
Assuming your iframe isn't in the same domain as the containing app and it doesn't need to communicate with with the other app, then you don't need to do anything special.
If you do need to communicate between windows/frames in different domains, then you can use the window.postMessage() API to pass data between them. The API will allow you to decide how you use the messages while retaining control of your page. (Protip: Don't eval the passed messages.)