Uploaded bybenvinegar
KEY, PPTX13,230 views

Modern iframe programming

This document discusses using iframes for various purposes such as sandboxing code from different domains or versions, asynchronous script loading, and cross-domain communication. It describes how iframes can execute code in a clean JavaScript environment isolated from the parent window. It also explains techniques like postMessage for communication between frames and using iframes with JSONP or document.domain to enable cross-domain requests and property access. The document provides examples of libraries that sandbox code in iframes like Twitter's @anywhere widget and the hiro.js testing framework.

Embed presentation

Download as KEY, PPTX
modern iframe programming txjs 2011
who invited this guy? • name’s ben • strange last name • work at disqus • hail from toronto
disqus? • dis·cuss • dĭ-skŭs' • third-party commenting platform • served on a bajillion sites • we use our fair share of iframes
first, some history
frames
frames • introduced in netscape navigator 2.0 (1996) • standardized in html 4 • frameset, frame, noframes • ... but obsolete in html5 (!)
iframes
iframes • introduced in internet explorer 4.0 (1997) • “inline” frame • not going anywhere (part of html5 spec)
more than just embedding content
“src-less” frames
“src-less” frames • separate window, DOM environment • property access from parent • contents load independently
restoring default browser objects
default objects • undefined • window • JSON • #toString • #indexOf
default objects • they can be modified - by anyone • often in incompatible ways • painful for third-party scripts
undefined
prototype & toJSON
safari & chrome
using iframes
IE < 9
not web scale
sandboxing
sandboxing • instead of taking objects/code out of an iframe, put it inside • execute in clean js environment • no global state leak
sandboxing
who’s doing this?
twitter @anywhere • twitter widget library • supports multiple lib versions/ instances per page • each version is sandboxed in a separate iframe dev.twitter.com/anywhere
twitter @anywhere
hiro.js • unit testing lib • each test suite runs in a new iframe • optional: seed global environment http://hirojs.com
asynchronous script loading
remember ... • stuff inside an iframe loads asynchronously • Souders says so! • still slower than other methods (script append, xhr)
iframes = slow
making synchronous scripts ... async
document.write • sometimes necessary evil • doesn’t work with async scripts • “you’ll overwrite the whole page!”
async + doc.write doesn’t mix
doc.write w/ iframes • tiny, synchronous outer script (outer.js) • outer.js doc.writes an iframe, and loads inner.js from inside • inner.js can doc.write all it wants; iframe contents load async
outer.js
google adsense http://bit.ly/google-iframe-async
cross-domain tunnels
cross-domain ajax • it doesn’t work • affects subdomains too • www.example.com can’t reach api.example.com, or vice versa
universal solution: JSONP
JSONP
JSONP • script tag element bypasses same-origin policy • but restricted to GET requests • also, difficult to cache
alternatively, tunnels
xd tunnels • host page creates iframe that points to url on target domain • iframe can freely make xhr requests • host page initiates requests through iframe
xd tunnels foo.com bar.com/ xhr tunnel.html bar.com/api
another wall • how does host page communicate with iframe? • same-origin policy prevents direct access • window messaging apis are the solution
iframe messaging • postMessage (HTML5) • window.name • url fragments • flash • catch ‘em all: easyXDM
iframe messaging = another talk http://bit.ly/cross-domain-barrier
so let’s talk about subdomains
subdomain tunnel • less complicated • property access is possible! • document.domain • host and iframe must both declare common document.domain, then they can access each other’s props
www.example.com api.example.com
www.example.com
tunnel.html
downsides :( • have to wait for tunnel to load • extra requests, bandwidth • is there a better way?
JSONPI json + padding + iframes (aka my awful attempt to coin something)
iframe POST
iframe POST • create an iframe • create a form • set form’s target=”...” attribute to point to iframe • submit the form • response loads in iframe body
JSONPI • use iframe POST • like jsonp: pass a callback fn • in response body, set common document.domain • js running in iframe can execute callback fn in parent window
flashback: JSONP
vs. JSONPI
JSONPI response
fin
thanks! • @bentlegen • we’re looking for js engineers! disqus.com/jobs • slides, sample code on github

More Related Content

KEY
Modernizr, Yepnope, and Polyfills
byAlex Sexton
 
PDF
Practical Phishing Automation with PhishLulz - KiwiCon X
byMichele Orru
 
PDF
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
byKrzysztof Kotowicz
 
KEY
Txjs
byBrian LeRoux
 
PDF
Buried by time, dust and BeEF
byMichele Orru
 
PDF
Html5: Something wicked this way comes (Hack in Paris)
byKrzysztof Kotowicz
 
PDF
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
PDF
How to start developing apps for Firefox OS
bybenko
 
Modernizr, Yepnope, and Polyfills
byAlex Sexton
 
Practical Phishing Automation with PhishLulz - KiwiCon X
byMichele Orru
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
byKrzysztof Kotowicz
 
Txjs
byBrian LeRoux
 
Buried by time, dust and BeEF
byMichele Orru
 
Html5: Something wicked this way comes (Hack in Paris)
byKrzysztof Kotowicz
 
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
How to start developing apps for Firefox OS
bybenko
 

What's hot

PDF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
PDF
Re-Introduction to Third-party Scripting
bybenvinegar
 
PDF
Dark Fairytales from a Phisherman
byMichele Orru
 
PDF
Advanced Chrome extension exploitation
byKrzysztof Kotowicz
 
PDF
Hanami
byBob Firestone
 
PDF
The Same-Origin Saga
byBrendan Eich
 
PDF
Code for Startup MVP (Ruby on Rails) Session 1
byHenry S
 
PPTX
Realtime web2012
byTimothy Fitz
 
KEY
Introduction to WebSockets
bySteve Agalloco
 
PDF
Something wicked this way comes - CONFidence
byKrzysztof Kotowicz
 
PPTX
Blazor - An Introduction
byJamieTaylor112
 
PDF
Why Plone Will Die
byAndreas Jung
 
PDF
Ruby is dying. What languages are cool now?
byMichał Konarski
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
KEY
Rails development environment talk
byReuven Lerner
 
PDF
Cors kung fu
byAditya Balapure
 
PPTX
High Performance Social Plugins
byStoyan Stefanov
 
PDF
Lo4
byliankei
 
PDF
Progressive Downloads and Rendering - take #2
byStoyan Stefanov
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
Re-Introduction to Third-party Scripting
bybenvinegar
 
Dark Fairytales from a Phisherman
byMichele Orru
 
Advanced Chrome extension exploitation
byKrzysztof Kotowicz
 
Hanami
byBob Firestone
 
The Same-Origin Saga
byBrendan Eich
 
Code for Startup MVP (Ruby on Rails) Session 1
byHenry S
 
Realtime web2012
byTimothy Fitz
 
Introduction to WebSockets
bySteve Agalloco
 
Something wicked this way comes - CONFidence
byKrzysztof Kotowicz
 
Blazor - An Introduction
byJamieTaylor112
 
Why Plone Will Die
byAndreas Jung
 
Ruby is dying. What languages are cool now?
byMichał Konarski
 
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
Rails development environment talk
byReuven Lerner
 
Cors kung fu
byAditya Balapure
 
High Performance Social Plugins
byStoyan Stefanov
 
Lo4
byliankei
 
Progressive Downloads and Rendering - take #2
byStoyan Stefanov
 

Viewers also liked

PPT
Breaking The Cross Domain Barrier
byAlex Sexton
 
PDF
TEDx Manchester: AI & The Future of Work
byVolker Hirsch
 
PDF
Build Features, Not Apps
byNatasha Murashev
 
PDF
Cross Domain Web
Mashups with JQuery and Google App Engine
byAndy McKay
 
PDF
Google guava - almost everything you need to know
byTomasz Dziurko
 
PPT
How to Embed a PowerPoint Presentation Using SlideShare
byJoie Ocon
 
PPTX
Design Beautiful REST + JSON APIs
byStormpath
 
PDF
3 Things Every Sales Team Needs to Be Thinking About in 2017
byDrift
 
PDF
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 
Breaking The Cross Domain Barrier
byAlex Sexton
 
TEDx Manchester: AI & The Future of Work
byVolker Hirsch
 
Build Features, Not Apps
byNatasha Murashev
 
Cross Domain Web
Mashups with JQuery and Google App Engine
byAndy McKay
 
Google guava - almost everything you need to know
byTomasz Dziurko
 
How to Embed a PowerPoint Presentation Using SlideShare
byJoie Ocon
 
Design Beautiful REST + JSON APIs
byStormpath
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
byDrift
 
How to Become a Thought Leader in Your Niche
byLeslie Samuel
 

Similar to Modern iframe programming

PDF
08 ajax
byYnon Perek
 
PDF
Javascript cross domain communication
byChenKuo Chen
 
PDF
AJAX - An introduction
byEleonora Ciceri
 
PPTX
Evolution Of The Web Platform & Browser Security
bySanjeev Verma, PhD
 
PPTX
Evolution of java script libraries
byColumbia Developers Guild
 
PPTX
Stay Out Please
byefim13
 
PPTX
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
byPatrick Meenan
 
PPTX
Basics of the Web Platform
bySanjeev Verma, PhD
 
PPTX
High Performance Snippets
bySteve Souders
 
PPT
Intro to SPA using JavaScript & ASP.NET
byAlan Hecht
 
PPTX
Secure web messaging in HTML5
byKrishna T
 
PPTX
Web technologies-course 10.pptx
byStefan Oprea
 
PPTX
Cos 432 web_security
byMichael Freyberger
 
PPT
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
byVagner Santana
 
PDF
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
byIvo Andreev
 
PPTX
Html5 security
byKrishna T
 
PDF
Building a js widget
byTudor Barbu
 
PPT
Ajax tutorial by bally chohan
byWebVineet
 
PPTX
JavaScript performance patterns
byStoyan Stefanov
 
PDF
Intro to node.js - Ran Mizrahi (27/8/2014)
byRan Mizrahi
 
08 ajax
byYnon Perek
 
Javascript cross domain communication
byChenKuo Chen
 
AJAX - An introduction
byEleonora Ciceri
 
Evolution Of The Web Platform & Browser Security
bySanjeev Verma, PhD
 
Evolution of java script libraries
byColumbia Developers Guild
 
Stay Out Please
byefim13
 
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
byPatrick Meenan
 
Basics of the Web Platform
bySanjeev Verma, PhD
 
High Performance Snippets
bySteve Souders
 
Intro to SPA using JavaScript & ASP.NET
byAlan Hecht
 
Secure web messaging in HTML5
byKrishna T
 
Web technologies-course 10.pptx
byStefan Oprea
 
Cos 432 web_security
byMichael Freyberger
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
byVagner Santana
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
byIvo Andreev
 
Html5 security
byKrishna T
 
Building a js widget
byTudor Barbu
 
Ajax tutorial by bally chohan
byWebVineet
 
JavaScript performance patterns
byStoyan Stefanov
 
Intro to node.js - Ran Mizrahi (27/8/2014)
byRan Mizrahi
 

Recently uploaded

DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Cleveland, OH Developer Group Dec 2, 2025 Slides for December Demos
byLynda Kane
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Safeguarding AI-Based Financial Infrastructure
bysleepandremedies
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
bysleepandremedies
 
PDF
Transforming SAP® Processes Through Automation: 2026 Trends and Challenges.pdf
byPrecisely
 
PDF
Cybersecurity Prevention and Detection Specialization
byVICTOR MAESTRE RAMIREZ
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
DevSecOps Learning Path - TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Cleveland, OH Developer Group Dec 2, 2025 Slides for December Demos
byLynda Kane
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Safeguarding AI-Based Financial Infrastructure
bysleepandremedies
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
bysleepandremedies
 
Transforming SAP® Processes Through Automation: 2026 Trends and Challenges.pdf
byPrecisely
 
Cybersecurity Prevention and Detection Specialization
byVICTOR MAESTRE RAMIREZ
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
DevSecOps Learning Path - TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 

Modern iframe programming

Editor's Notes