Can an embedded 3rd party JS script access or keystroke log an iFrame's content

Ask Question

Asked 1 year, 11 months ago

Modified 1 year, 11 months ago

Viewed 184 times

Say there is a web page with two 3rd party javascript URL scripts embedded in it. One creates a support chat window and the other creates an iFrame within which a user enters payment information into a form.

If the support chat script was compromised and could it get access the payment information? e.g keystroke logging on the page or directly accessing the form information

asked Dec 14, 2023 at 13:44

AndyW

1112 bronze badges

1

Welcome to the community. Have you looked into security.stackexchange.com/questions/23398/… ? You might also find this interesting: youtube.com/watch?v=2up8J9dErHI

Sir Muffington
– Sir Muffington

2023-12-14 17:12:03 +00:00
Commented Dec 14, 2023 at 17:12
1

Modern browsers will isolate JS scopes to same-domain. If the parent/iframe have different domains you can't access it. (The exception is if the iframe explicitly posts messages that the parent can listen to: developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ) Presumably the payment info iframe's src is set to a different domain than the parent or chat iframe. It's likely a payment iframe has additional sandbox settings as well.

browsermator
– browsermator

2023-12-14 22:26:39 +00:00
Commented Dec 14, 2023 at 22:26

Add a comment |

0 You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Stack Exchange Network

Can an embedded 3rd party JS script access or keystroke log an iFrame's content

0

You must log in to answer this question.

Linked

Hot Network Questions

Can an embedded 3rd party JS script access or keystroke log an iFrame's content

0

You must log in to answer this question.

Linked

Related

Hot Network Questions