Whether most of us are aware or not, frames are commonly used in most of the websites we use, for various purposes such as widgets in mashups, containers for advertisements, at the least for loading arbitrary documents into web pages. To serve this purpose <iframe> is used, while <frameset> and <frame> which were initially used for navigation are made obsolete in HTML5.
Frames are used primarily to isolate untrusted content such as remote scripts of widgets/ads etc., from interacting with rest of the DOM. Frames comply with Same Origin Policy if they load remote pages. This means, if an iframe is loaded with a page from same domain, it allows DOM manipulations to and from its parent page. Where as if it is loaded with a page from a different domain, it will restrict DOM manipulations and provides an isolated environment. The below code snippets should make this this clear.
<!-- This is allowed -->
<iframe src="sameDomainPage.html"> </iframe>
alert(frames.contentDocument.body); //works fine
<!-- This is **NOT** allowed -->
<iframe src="http://google.com"> </iframe>
alert(frames.contentDocument.body); //throws error
Most of us are happy with this secure isolation of content in frames. But if we look a little deep into the frame navigation policies implemented in old browsers, the scenario becomes scary. This post explains the various frame navigation policies implemented by browsers and why modern browsers are more secure.
Continue reading "Frame Navigation Policies in web browsers-One reason to upgrade to modern browsers" »