StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO<script> src replacement - sandbox breaker - will it last?
text
Body
copied!<p>Hey people, I am working on a web do-dad which allows has an embed code.</p> <p>In this particular embed, an iframe is added to the page in place of the embed code via javascript. I now have control of the user's page, and, since I am writing the content of the iframe from javascript as well, control of the iframed page. Doing this (as opposed to sourcing my iframe from our server) lets us talk to the iframe to do a cool trick.</p> <p>THE PROBLEM: the iframed page still needs to ajax stuff from our server. Sandbox issues! The solution, it seemed to me was <code><script></code> src replacement - essentially replacing our ajax procedure with a sandbox-breaker version.</p> <p>I have been told that this ability of most browsers is on the chopping block. is this true? terrible! I can't find anythign to this effect in my (admittedly brief) research, and though i'd go to the experts</p> <ul> <li>is <code><script></code> src replacement a viable mechanism to pull off sandbox-breaker type effects?</li> <li>is <code><script></code> src replacement viable at all?</li> <li>how do adwords work? they need to call home, right? How do they do that?</li> <li>I understand that the soon-to-be available cross site XHR stuff will pop security dialogs - is this true?</li> <li>Can anybody recommend and other sandbox breaker technique that won't pop a security dialog?</li> </ul> <p>(yes I am aware of the security concerns - We are wearing protection and whatnot)</p> <p>Thanks!</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload