Does the iframe in the website pose a threat to the website? How to prevent it?

How to prevent security threats from unknown websites in iframe? How can we prevent threats? For example, how do Sina Weibo's on-site applications prevent iframe websites from obtaining user information? Hope you can answer this question! Thank you! How to prevent security threats from unknown websites in iframe?
How can we prevent threats?
For example, how do Sina Weibo's on-site applications prevent iframe websites from obtaining user information?

Hope you can answer this question! Thank you!

Reply content:

How to prevent security threats from unknown websites in iframe?
How can we prevent threats?
For example, how do Sina Weibo's on-site applications prevent iframe websites from obtaining user information?

Hope you can answer this question! Thank you!

@ Sha Miao is still under threat. iframe windows can replace top-level window paths to jump to pages and cause phishing attacks.

There is no good solution before the HTML5 standard.
HTML5 defines the sandbox attribute of iframe and can select the iframe whitelist function.
Specific realization: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

The cross-origin request of javascript isAll browsers prohibitThere is no room for discussion.

This has nothing to do with iframe. Inside the contaminated area, inside the area, or cross-association between iframe ...... Cross-origin is not allowed.

All the security statements are based on this one. There is no difference between two webpages inside and outside iframe in the browser's security system and the two tabs.

Isn't the browser restricted by the same domain?

If the first-level domain names of the two pages are different, how can the pages in iframe control the external pages?

Of course, if the two pages only have different second-level domain names, for example, between a.segmentfault.com and B .segmentfault.com, you can set the document. domain of the two pages to the same through JS,

document.domain=segmentfault.com;

In this way, the JS of the two pages can call each other. This feature can be used for cross-origin requests between two second-level domain names under a first-level domain name.

However, if the first-level domain names are different, there is no direct control. The browser returns an error directly. How can this cause a threat?

In the case of different sources, iframe obtains at most the URLs of external pages, and other things cannot be obtained. Therefore, make sure that there is no private content in the URL.

As far as my current experience is concerned, iframe cannot be used as long as it is cross-origin, and even the onclick event cannot be bound, not to mention operating the DOM of the parent page. Of course, if there is no cross-origin, iframe can be used to operate parent pages or child pages.