I have to pass authentication token from my website to my iframe in a secure way. My iframe is located on the same domain as my website.
Is it secure to pass auth token as parameter to iframe's src property? I mean:
<iframe src={"/purse/index.html?auth_token=" + token} /> UPDATE: By secure I mean that no-one except current (signed in) user have a chance to access the token.
P.S. In your answer pls also describe the way auth_token could be stolen with my approach
Technically an auth_token does not provide security, it provides identity. Security would be provided by your encryption and authentication system, usually SSL with some form of login. The auth_token is usually set after authentication and passed over an SSL encrypted connection back to the user. Based on the 'src' in the provided snippet, it appears to be to the same application space - no host info that would suggest a different host. If SSL is still being used to encrypt the connection, then there should not be a concern with anyone else 'seeing' that users auth_token.
The other answer is partially correct. Ultimately it is up to you to determine if the token is allowed to be viewed by others. In this situation, you are allowing that token to be public.
URLs are public and this includes the query parameters. So in this situation, the iframe is loaded and anyone can have access to that token. This includes, systems that log the URL, malicious JS on the page, and anyone snooping on network traffic. To securely pass the token you must include it in the signed part of the request, such as a header (and of course be using TLS or some other security mechanism).
$frame.on('load', () => $frame.contentWindow.init(token)). Is it secure?