Home > Software design >  Does iframe parent have access to child cookie-based authentication token?
Does iframe parent have access to child cookie-based authentication token?

Time:09-22

I have a product that requires sign-in authentication. I use jwt but store that inside cookies (which I know could be a problem once there is an xss vulnerability).

This product is also given to some "other domains" that embed it through an iframe.

I'm curious if there are any security risks that I did not think about in this situation.

E.g. Does the parent, "other domain", have access to my authentication tokens since I use cookies to store my JWT tokens? If the parent has xss vulnerability, then this would automatically imply a vulnerability for me as well?

CodePudding user response:

I have a product that requires sign-in authentication. I use jwt but store that inside cookie (which I know could be a problem once there is an XSS vulnerability)

Storing in Cookie is not a problem Now By using some headers Like sameSite and CSP it is even harder To exploit XSS They can Pop-up alert box but they cannot steal cookies though it gives You the confidence To use it It really depends On How You code a functionality. If you are using frameWorks(like- Jinja, Vue, angular, ejs..etc) There is a very low chance to Attacker To inject code.

This product is also given to some "other domains" that embed it through an iframe

If the parent Domain Having an XSS. then Probably The iFrame also affected To XSS. They Can see the content and send It there domain or There is a Tool called xsshunter.io You can check By testing IT on a Development server. But if You use CSP and Same-site: Lax then it's Not a problem there will be no communication to External Domain other than the Whitelist domain. If it's vertical privilege From child to parent Then You have a great feature Called sandbox in the iframe.

(no value)  Applies all restrictions
allow-forms Allows form submission
allow-modals    Allows to open modal windows
allow-orientation-lock  Allows to lock the screen orientation
allow-pointer-lock  Allows to use the Pointer Lock API
allow-popups    Allows popups
allow-popups-to-escape-sandbox  Allows popups to open new windows without inheriting the sandboxing
allow-presentation  Allows to start a presentation session
allow-same-origin   Allows the iframe content to be treated as being from the same origin
allow-scripts   Allows to run scripts
allow-top-navigation    Allows the iframe content to navigate its top-level browsing context
allow-top-navigation-by-user-activation Allows the iframe content to navigate its top-level browsing context, but only if initiated by the user

it is good Practice To Use JWT in headers But there is No problem At all using It in cookies But using JWt in headers is more secure. Hope This Help's You!

Page link:https//www.codepudding.com/Softwaredesign/121452.html

Prev:Kubernetes in-cluster-communication security
Next:Implementing end-to-end PKI in a web application
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding