Setting cookies within an iFrame - javascript

I know this is a very talked about subject but just wanted to check something with you knowledgeable people.
I've got a domain, say domain-A, that is out of my control, housing an application from domain-B, developed by me, in an iFrame. The application within the iFrame uses cookies a lot. Should this work?
I'm not trying to read cookies between domain-A and domain-B, I purely want to set cookies in domain-B and read them in domain-B.
All seems fine in Chrome but IE doesn't want to play the game.
Can anybody give me some guidance please?
Thanks,
Andy.

From the server point of view, this should work fine. Your domain B will receive cookies from the IFRAME, as if it were just another web-page.
From the client side: sending the cookie could depend on policies set by the browser, of even by the user. Fiddle with the security level of your domain and the cookie settings in IE to get a hint of what is going on.

Related

Iframe and blocking 3 parties cookies

I have an IFrame on my webapp which host a website.
The hosted website needs access to local storage (cookies) to get the auth token.
On Chrome all is working fine, but going into incognito mode gives me an error, because 3 parties are blocked.
Disabling this option in settings is not an option for me - I just can't force a users to do that.
Is there anything I can do to go around this problem?
The hosted website is the website I trust and I know the URL. I was thinking maybe I can add something to the header to allow access only from that URL, something Like CORS?
Thanks for help.

GDPR: youtube-nocookie embedded URL's, need visitors' permission?

This is my first time posting on Stack Overflow and I have a question about the GDPR.
Hi there! (This is ment to be on top of the post, but for some reason it gets deleted when I save it)
Situation:
On my website I don't want to bother visitors with cookie notifications, so the goal is to only place necessary cookies. However, there will be embedded YouTube video's on the website, which usually places tracking cookies.
After some research I stumpled upon the youtube-nocookie.com domain, which I am using now. Without using that domain, an embedded video url will be:
https://www.youtube.com/embed/7cjVj1ZyzyE
With using it, it is:
https://www.youtube-nocookie.com/embed/7cjVj1ZyzyE
By using the latter, cookies will only be placed after playing the video, and no tracking cookies will be placed (according to Google: https://support.google.com/youtube/answer/171780?hl=en under 'Turn on privacy-enhanced mode'). However, there will still be placed some cookies, and it is not clear for me if visitors will need to give permission for those, and if so, under what category (and maybe they are still tracking?).
Image of the cookies:
Image of cookies youtube-nocookies.com places
This is in Chrome. The cookies from the gstatic domain are placed on page-load for some reason. That doesn't happen in Opera.
Another weird thing is that FireFox (with allowing all cookies and trackers) and Edge don't seem to place any of the 6 cookies from the image at all.
Many sites and blogs say that this is the way to embed YouTube video's, but I can't seem to find a clear answer to the question if you still need visitors' permission for these cookies. Also on many sites where I only accept necessary cookies, I still have the possibility to view YouTube video's and the corresponding cookies will be happily placed without my consent.
Has anybody delt with this before?
Thanks in advance!
After some more research I think I found a clear answer. From a report of Cookiebot:
“Privacy-Enhanced Mode” currently
stores an identifier named “yt-remote-device-id”
in the web browser’s “Local Storage”. This
allows tracking to continue regardless of
whether users click, watch, or in any other way
interact with a video – contrary to Google’s
claims. Rather than disabling tracking, “privacyenhanced mode” seems to cover it up.
Source: https://www.cookiebot.com/media/1136/cookiebot-report-2019-ad-tech-surveillance-2.pdf
The 'yt-remote-device-id' indentifier, along with some other ones, are, even with the use of the youtube-nocookie.com domain (or 'Privacy Enhanced Mode'), still being placed on page load (given that the iframe with the set source is already part of the DOM at this point of course).
So while no tracking 'cookies' cookies are placed, the tracking has moved to the browsers localStorage (I overlooked this before), which basically means visitors actually do need to give permission before embedded YouTube video's with Privacy Enhanced Mode enabled should be loaded on the page.
Update
Gave some nuance in response to Marc Hjorth's comment.
i can confirm that the localStorage entry effectively replaces the funktion of the cookie. it is persistent and makes you identifiable across browser sessions. i get the same "yt-remote-device-id" value each time after restarts. only erasing the local storage makes a difference.

Detecting "Bad Request" or 404 in iframe

Is there a way to detect these website errors in iframes? I am working on a app that has a third party website that has to be embedded into an iframe (trust me I'm not happy about it.) and we have to be able to hide the iframe if these errors occur.
What is the most graceful way to handle this? I have tried a .error, but have had no success. Help would be appreciated so I can keep my brain intact and not have it explode everywhere.
No, it's not.
If iframe is coming from diferent source and doesn't allow access( X-Frame-Options ), you can't do anything about it.
read about it here same origin policy.
There are few things, however, you can do:
If those are singular clicks (people don't navigate further) you can just make request and check content and then actually open iframe.
You can add in app browser like Linkedin for example. Take a look at cordova in app that is really specific solution, different for each platform, but it removes need of iframe.

X-Frame ORIGINS in IFRAME

A while ago I created an application whereby clients connect to a server using WebRTC protocols.
The clients screen is made up of two halves. One half is linked to the server and receieves things like messages, and has the web page which has the WebRTC javascript in it. The other is an IFRAME. When the client connects to the server, the server sends the client a web address which is loaded in the IFRAME.
I know that some web pages cannot be loaded in an iframe, examples typically having password screens. Google forms does not appear to have this restriction, which is great.
So now imagine I launch a server and ask 20 people to connect to it. All 20 students connect to the server properly, I know because it comes up with all their details on my computer. Typically, from my testing, 15/20 will be fine. The other 5 will get a white screen. When I investigate in the console it is an XFRAMES ORIGIN problem, its saying the webpage being loaded will not allow itself to be loaded in an iframe. However everybody else (who are using the same browser [chrome], and some the same browser version) are fine.
Now I have one solution which works for some students, there is a setting in chrome which is called:
block third party cookies and site data
If this is enabled it doesn't work, if its not enabled it does work.
Now I have 4 students left who still just see a white screen whom I have no solution for. Chrome and Firefox both support the software but both produce the same issue.
The building setup is that students connect to the internet through a server. They must connect via this server as my nameserver is not local and indeed my website is not local either.
I dont think it is a coding issue as it only happens on a few select computers and everything else works just hunky dory. Thus I think it might be an issue with something else: firewall, security settings, config button etc. If anybody has any suggestions for what i can do to remedy this then I would be very grateful for your help.
I have tried to supply all info I believe to be relevant (hense the length) but anything I have missed please ask.
Thank you.
Alex
If the main site's URL is different than the iframe's URL, you'll get an xframes origin problem. This includes the protocol (http vs. https) and full domain (example.com vs www.example.com). In other words, if a user goes to example.com and the iframe uses www.example.com it could cause an xframes origin error. Or if they go to http://www.example.com and the iframe uses https://www.example.com you might get this error.
OK so for people who encounter this issue in the future I am going to create an update this post here. Basically it is for people who want an answer to the issue of iframes just displaying a whitepage.
With these three solutions I have eliminated all my issues, but as I come up with new ones I will post them here. Hopefully its useful to somebody :)
SOLUTION 1
If your iframe is aiming somewhere that requires the user to log in, it is unlikely to work. Password pages are rarely cross origin for obvious and good reasons. The solution is to ensure before they use your iframe page they log in fully to what they are doing, or provide an error message that gives them this information if it happens. See this post for details: Catch error if iframe src fails to load . Error :-"Refused to display 'http://www.google.co.in/' in a frame.."
Where I am we had dual login, so they sign into google and then into the organisation. Both these login areas will cause your page load to fail.
SOLUTION 2 (Chrome ONLY)
Some services react badly to QUIC mode, and some of my users have had issues due to this.
To fix:
1. chrome://flags
2. change QUIC mode to 'Disabled'
SOLUTION 3
If you are working via a proxy server that requires cookies, users may have issues if they have the 'Block third-party cookies and site data' button enabled. Disabling this had a positive effect on how well the iframes were working.
In chrome:
Settings
Search for cookies
Click 'content settings'

preventing javascript injections from navigation bar

I was playing around with cookies and stuff, until I noticed a website saying that you can easily set cookies via the navigation bar with one simple code;
javascript: document.cookie="SESSID=IDOFSESSIONHERE;path=/"
while doing this, I could login on one computer, copy the cookie data to another computer, and set the same cookie via this code, after a refresh I was logged in with the same user.
(just on a simple webpage I made myselve)
this seems like a security issue to me, I mean, ofcourse they would first need to get the cookie data, but without that, I imagine that you could do alot of damage with the javascript: from the cookies aside.
Is there any way to prevent the usage of javascript: from the navigation bar?
The user is the security issue not Javascript. The user gave you the session id - i.e. do you give out your keys/passwords to others? If you do what can the site do? Send around a blioke to look over your sholder all the time
Javascript is only excecuted client side, (exception is nodejs). So no harm can be done to the server.
Javascript runs in the users browser.We dont have any control over it.
The thing you can do is to obfuscate or hash variable names and/or values.
See here
You cannot prevent JavaScript usage from the navigation bar. I could visit your website and use the Internet Explorer debug tool, Chrome debug tool or FireBug to launch JavaScript code on your page.
Since JavaScript runs on the on the visitor's local computer, you will have no control over it. Only the visitor has control over what cookies will be stored in the browser.
What you need to do is to take measurements of security server-side. But yes, all authentication-processes that depend on a session cookie will have the security issue you are explaining.

Categories