Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iframe: a less than useful look at the abuse th...

Remy Sharp
December 02, 2013

iframe: a less than useful look at the abuse the iframe takes

A 20 minute version for dotjs of my iframe abuse talk

Remy Sharp

December 02, 2013
Tweet

More Decks by Remy Sharp

Other Decks in Technology

Transcript

  1. <iframe> A less than useful look at the abuse the

    iframe takes. Remy Sharp • @rem • Left Logic
  2. Foundation of early comet techniques 2000/2006 var iframe = document.createElement('iframe');

    iframe.style.display = 'none'; document.head.appendChild(iframe); iframe.src = '/live-stream'; require('http').createServer(function (req, res) { res.writeHead(200, { 'content-type': 'text/html' }); res.write(sendPadding()); setInterval(function () { res.write(getLiveData()); }, 1000); });
  3. iframe must be in DOM to start writing to it

    var window = iframe.contentWindow || iframe.contentDocument.parentWindow;
  4. function iframe() { var iframe = document.createElement('iframe'); document.body.appendChild(iframe); return iframe.contentWindow

    || iframe.contentDocument.parentWindow; } var window = iframe(), document = window.document; document.open(); document.write(myAwesomeHTML); document.close();
  5. •Request / == "app chrome" •All other urls include iframe

    to light manifest page •Manifest says: FALLBACK: /* / •Therefore: any request to an unknown url, the "app chrome" will load via the fallback
  6. Future / Now / Good Parts • postMessage/onMessage • seamless

    • srcdoc • sandbox="allow-same-origin allow-forms allow-scripts" http://benvinegar.github.com/seamless-talk/