0

I have a Main Window [parent window] and an Iframe from third party in it. I have defined some global constant in my main window, which holds confidential information like login token. I also have a two way message communication between my main window and iframe.

Can the iframe window access my other global constants from main window ? How to safe guard them, if such an access is possible ?

user3769778
  • 967
  • 2
  • 7
  • 26

1 Answers1

0

I'm assuming the main window is the parent window that contains the iframe. If you're attaching your confidential information to the window object then that's probably not safe.

The child iframe can access the parent window via window.top.

// in parent window
window.confidentialInfo = "foo";

// in iframe
console.log(window.top.confidentialInfo);
// prints "foo"

Otherwise, hard to say without more information.

dwosk
  • 1,202
  • 8
  • 11
  • yes main window is parent window, which contains iframe. No I am not attaching token to window object instead saving it as separate global constant. – user3769778 Sep 30 '20 at 05:36
  • Then as long as you don't expose them somewhere in the two-way message channel, I'd think it would be fine. – dwosk Sep 30 '20 at 05:44
  • Well I guess as long as the iframe is served from a different domain. See: https://stackoverflow.com/questions/7647042/sharing-global-javascript-variable-of-a-page-with-an-iframe-within-that-page – dwosk Sep 30 '20 at 05:46