If Site A has an iframe of Site B, and the two sites are on different domains, can Site B know (via js or something) if it's in an iframe with the allow-same-origin attribute and thwart it?
I need to reassure the administrators of site B that their site is safe within an iframe on Site A.
EDIT: This question is essentially moot as I've misunderstood what allow-same-origin means
If you take the normal case of a containing web page site A that has an iframe embedded in it site B, then the browser's same-origin restrictions make it impossible for site A to access anything in site B's page unless site B specifically cooperates to allow that usually with window.postMessage()
- a means of sending messages between documents, windows or frames of a different origin. By default, no access is allowed.
You refer to a sandbox attribute on the iframe allow-same-origin
. When you add the sandbox attribute, things are shut-down even more so even less access is allowed. The allow-same-origin
attribute brings back access from the same origin only. Since your example of site A and site B are on different origins, this should have no effect on the access between them. site A's page will still not be able to access site B's page.