How secure is an iframe from one domain?

W

WalkinDed2019-02-11 17:21:02

JavaScript

WalkinDed, 2019-02-11 17:21:02

Good day!.
A question. I need to connect the Google Analytics counter (it is connected via the tag manager) to some pages in order to send a js object with data, but I can’t do this, because in addition to my custom data, the analytics will collect other data, and I have private user data on these pages.
I came up with a solution to connect an iframe on these pages, and already connect analytics inside the iframe-a, and pass only the necessary data from the main window to this iframe.
I do the following
js code in the main window
var data = {
'event': '***',
'eventCategory': '****',
'eventAction': '****r'
};
var iframe = window.frames.test;
iframe.onload = function () {
iframe.postMessage(data);
};
Code in iframe:
function listener (event) {
dataLayer.push(event.data);
}
window.addEventListener("message", listener);
How safe is this method? If, for example, instead of the google analytics code that connects to the iframe, there is malicious js, will it be able to reach the data of the main window? If so, how can this case be banned?
Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

N

nvdfxx, 2019-02-11
@nvdfxx

there is no way to access the parent window from the iframe, the question is different, if you have such important information there, Google analytics is your least of the problems. It can be turned off simply on pages with confidential information, there is hardly anything important for analytics on these pages