Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>It is <strong>not possible</strong> to do this because of the browser's security model. If it was possible, that would be a security problem and would have to be fixed.</p> <p>Although letting the embedding site know the height of a third party webpage when embedded in the page seems harmless, this can leak information to the embedding site that the browser's user wants to keep private. For example, <a href="http://www.facebook.com/" rel="nofollow noreferrer">http://www.facebook.com/</a> renders differently depending on whether or not you are logged in, so if my website can work out the height of <code>&lt;iframe src="http://www.facebook.com/"&gt;</code> then I can work out whether or not you are a facebook user, something you probably don't want me to know.</p> <p>The information leakage would be similar to the infamous <a href="http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/" rel="nofollow noreferrer">CSS History Leak</a> in that it would reveal information about the user's relationship with the third-party site just by "linking" to that site (in this case with an iframe instead of a link). Browser vendors had to plug the CSS History Leak, so I suspect if you <em>could</em> work out the height of a third party site rendered in an iframe in any browser, the vendor would have to fix that too.</p> <p>The information leaked would be anything that can be inferred from the height of a page when rendered for a user using their cookies (which the browser will send even though rendering in an iframe inside a different domain's page). The specific risks depend entirely on the nature of the embedded site being "attacked". E.g. I could get an idea of how much stackoverflow activity someone visiting my site has by getting the height of <a href="https://stackoverflow.com/reputation">https://stackoverflow.com/reputation</a> which is different for different users.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload