Return to Answer

• using any CORS configuration?

Yes, victor.eve.tld/ has to allow the IP address of victor.alt in her Access-Control-Allow-Origin header. This way the page at victor.alt can send a regular XHR to victor.eve.tld/ and verify the contents of the HTML it retrieves, and verify all referenced scripts too.

• while allowing read-only access?
• while limiting the the parent window's access to the content of the iFrame?

These do not exist, an iframe cannot read the contents of another iframe unless they are on the same domain.

You can also do it without the CORS on victor.eve.tld, it is possible when victor.alt has a proxy service that can successfully load the webpage at victor.eve.alt. You can try it out yourself live by pasting the following code into the console at http://hileco.com/, which executes the code in a child iframe at sandbox.hileco.com ( Paste it, reload sandbox, run )

require(["module/http"], function (httpModule) { // httpModule is a proxy at sandbox.hileco.com aka victor.alt httpModule.get("http://hileco.com", function(xhr){ // hileco.com is victor.eve.alt if(xhr.responseText.length == 7740){ // note that this will change in the future in the case of hileco.com :-) console.log("7740? Undoubtedly this must be the untampered hileco.com"); } else{ console.log("Run!"); parent.location = "about:blank;"; } }); }); 

• using any CORS configuration?

If Eve sets her CORS header to Access-Control-Allow-Origin "victor.alt" Victor can verify the contents of the HTML it retrieves and verify all referenced scripts as well.

• while allowing read-only access?
• while limiting the the parent window's access to the content of the iFrame?

Neither of these exist, an iFrame cannot read the contents of another iFrame unless they are on the same domain.

However, you could push any user information you want to keep private from Victor into a sandboxed iFrame and using window.postMessage to communicate between frames. Victor can monitor the activity between the two to ensure that no information is being leaked.

It is possible when victor.alt has a proxy service that can load the webpage at victor.eve.alt. You can try it out yourself live by pasting the following code into the console at http://hileco.com/, which executes the code in a child iframe at sandbox.hileco.com ( Paste it, reload sandbox, run )

require(["module/http"], function (httpModule) { // httpModule is a proxy at sandbox.hileco.com aka victor.alt httpModule.get("http://hileco.com", function(xhr){ // hileco.com is victor.eve.alt if(xhr.responseText.length == 7740){ // note that this will change in the future in the case of hileco.com :-) console.log("7740? Undoubtedly this must be the untampered hileco.com"); } else{ console.log("Run!"); parent.location = "about:blank;"; } }); }); 

Or, if victor.eve.alt has victor.alt ( or in this case the IP ) in the Access-Control-Allow-Origin header, then the victor.alt iframe can send an XHR request to victor.eve.alt, without requiring a proxy server at victor.alt.

• using any CORS configuration?

Yes, victor.eve.tld/ has to allow the IP address of victor.alt in her Access-Control-Allow-Origin header. This way the page at victor.alt can send a regular XHR to victor.eve.tld/ and verify the contents of the HTML it retrieves, and verify all referenced scripts too.

• while allowing read-only access?
• while limiting the the parent window's access to the content of the iFrame?

These do not exist, an iframe cannot read the contents of another iframe unless they are on the same domain.

You can also do it without the CORS on victor.eve.tld, it is possible when victor.alt has a proxy service that can successfully load the webpage at victor.eve.alt. You can try it out yourself live by pasting the following code into the console at http://hileco.com/, which executes the code in a child iframe at sandbox.hileco.com ( Paste it, reload sandbox, run )

require(["module/http"], function (httpModule) { // httpModule is a proxy at sandbox.hileco.com aka victor.alt httpModule.get("http://hileco.com", function(xhr){ // hileco.com is victor.eve.alt if(xhr.responseText.length == 7740){ // note that this will change in the future in the case of hileco.com :-) console.log("7740? Undoubtedly this must be the untampered hileco.com"); } else{ console.log("Run!"); parent.location = "about:blank;"; } }); }); 

It is possible when victor.alt has a proxy service that can load the webpage at victor.eve.alt. You can try it out yourself live by pasting the following code into the console at http://hileco.com/, which executes the code in a child iframe at sandbox.hileco.com ( Paste it, reload sandbox, run )

require(["module/http"], function (httpModule) { // httpModule is a proxy at sandbox.hileco.com aka victor.alt httpModule.get("http://hileco.com", function(xhr){ // hileco.com is victor.eve.alt if(xhr.responseText.length == 7740){ // note that this will change in the future in the case of hileco.com :-) console.log("7740? Undoubtedly this must be the untampered hileco.com"); } else{ console.log("Run!"); parent.location = "about:blank;"; } }); }); 

It is possible when victor.alt has a proxy service that can load the webpage at victor.eve.alt. You can try it out yourself live by pasting the following code into the console at http://hileco.com/, which executes the code in a child iframe at sandbox.hileco.com ( Paste it, reload sandbox, run )

require(["module/http"], function (httpModule) { // httpModule is a proxy at sandbox.hileco.com aka victor.alt httpModule.get("http://hileco.com", function(xhr){ // hileco.com is victor.eve.alt if(xhr.responseText.length == 7740){ // note that this will change in the future in the case of hileco.com :-) console.log("7740? Undoubtedly this must be the untampered hileco.com"); } else{ console.log("Run!"); parent.location = "about:blank;"; } }); }); 

Or, if victor.eve.alt has victor.alt ( or in this case the IP ) in the Access-Control-Allow-Origin header, then the victor.alt iframe can send an XHR request to victor.eve.alt, without requiring a proxy server at victor.alt.