Limiting Cookie Usage within iframe
Browser Storage Sandbox Testing
IFrame sandbox and credentialless Attributes
Chromium (and maybe webkit? (update: sadly seems no) based browsers offer some features that allow the creator of an
iframe to sandbox any code running in it. Two of those features are controlled via the sandbox
and credentialless attributes. The
This is valuable in cases where a page-owner wants to allow third party content to be loaded into a frame, but limit interactions with the user and sandbox the code in frame.
Demo Overview
Below you can self-demo this functionality with different options. The test involves an endpoint returning content to an iframe, and in its resposne setting a cookie. You can control the attributes on the iframe and origin of the request, which will let you explore how cookie persistence is impacted by different settings.
The form will reload this page with the selections as query params, at which point the load handler will:
- Clear the cookies for each of the available domains.
- Load an iframe with the "set-cookie" endpoint as its src
- That endpoint returns "content" describing the request
it saw, including cookies, and also includes a
set-cookie header. - After (2) completes, there will be a second load to the same endpoint, as well as a second page open that loads the "content" showing what cookies the endpoint sees.
You should expect to see the cookie for the second frame on page, but not for the second page load.
Demo
The form below allows you to set up several parameters for:
- Domain: You can select whether to test cookie setting from the same origin as this page, or one of two others.
- Cookie Params: all cookie params are available, to learn more see here.
- iframe Attributes: you can specify whether to use
sandbox and/orcredentialless , and forsandbox you can choose any of the allows.