Will the IFRAME within the site pose a threat to the site? How to prevent it?

How can I prevent security threats from unknown sites within an IFRAME?
If there is a threat, how do you prevent it?
For example, Sina Weibo website application, how they prevent the site within the IFRAME to obtain user information?

Hope to get your answer! Thank you!

Reply content:

How can I prevent security threats from unknown sites within an IFRAME?
If there is a threat, how do you prevent it?
For example, Sina Weibo website application, how they prevent the site within the IFRAME to obtain user information?

Hope to get your answer! Thank you!

@ sand is still a threat, the iframe window can replace the top-level window path, so as to achieve jump page, resulting in the risk of phishing attacks.

There is no good solution before the HTML5 standard.
HTML5 defines the sandbox properties of an IFRAME, which can optionally function as a whitelist iframe.
Concrete implementation: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

JavaScript cross-domain requests are prohibited by all browsers and there is no room for negotiation, given that the content provider's server is not explicitly authorized.

This is not related to the iframe inside and out. Outside the pollution inside, inside snooping outside, or IFRAME cross-correlation between ... As long as the cross-domain, are not allowed.

All security is based on this article. IFrame inside and out two pages, in fact, in the browser security system, and two tabs side by side, and there is no difference.

are browsers not restricted to the same domain?

If the first-level domain name of the two pages is different, how can the pages in the IFRAME control the external pages?

Of course, if two pages are just two different domain names, such as between a.segmentfault.com and b.segmentfault.com, you can use JS to set two pages document.domain the same,

document.domain=segmentfault.com;

So two pages of JS can call each other. This feature can be used to cross-domain requests between two two-level domain names under a single-level domain name.

But if the first-level domain name is not the same, there is no direct control of the possible, the browser directly to the return error, how to create a threat?

In the case of different sources, the IFRAME gets the URL of the external page at most, and nothing else gets. So make sure you don't write anything too private in the URL.

In my current experience, the IFRAME as long as the cross-domain, you are not able to take it, even the onclick event can not bind, do not say the operation of the parent page DOM, of course, if there is no cross-domain, IFRAME is fully operable parent page or sub-page

