sessionStorage in iframe

T

2

16

I'm going to have several iframes on my page and I'm going to quite intensively use sessionStorage inside them. What I'm curious about is if I will have separate storages or one shared for all iframes? How do the size limits apply?

Trehalose answered 27/8, 2015 at 11:26 Comment(2)

Local storage is per domain. All pages, from one domain, can store and access the same data. So this would definitely share local storage data between frames (assuming they're from the same domain). Session storage is per browser tab or window so I would guess it uses separate storages as I always think of frames as completely different windows. This is an interesting and relevant read about browser / frame security: #2570268 – Fortalice 27/8, 2015 at 11:45

@mikeecb I don't need local storage. I need session storage. I guess the same, but I hoped somebody knows for sure. – Trehalose 27/8, 2015 at 11:47

T

18

OK, I've made a test myself. At least in Chrome (44) and Firefox (40) the sessionStorage is shared among page and the iframes included if they are of the same domain and do not if they are of different domains.

Trehalose answered 27/8, 2015 at 12:27 Comment(1)

On my side, it triggers exception only in private navigation mode (chrome 84) – Trueblood 14/8, 2020 at 11:12

O

24

If sessionStorage is shared depends on the iframe's page and it's origin, which is the domain part of the URL. If you have a webpage at http://myserver/test.html and it is including http://thatserver/some.html via an iframe, the iframe's page has the domain thatserver. Thus the origin differs and the sessionStorage won't be shared. But if the iframe's page is http://myserver/some.html it has the same origin and therefore will share the same session storage.

Now there is an additional trick: The sandbox attribute for the iframe. If you write <iframe sandbox> without the value allow-same-origin the content of the iframe gets a unique origin. That means it would get a different sessionStorage regardless of the real origin that page has. You can write <iframe sandbox="allow-same-origin"> to sandbox the content AND let the content of the iframe to have the same origin (but only if if does have the real same origin).

Now special notes: sandboxed iframes won't support localStorage per spec. And in webkit-browsers and mozilla firefox an exception will be thrown if the sandboxed iframe content will try to access sessionStorage.

Orvie answered 1/1, 2017 at 12:37 Comment(1)

Hey! I'm doing something very similar: "myserver" is the parent page and "thatserver" is the iframe. However, in the page at thatserver, I want to set a SessionStorage for its own origin ("thatserver"). For some reason it seems like the sessionStorage is not being set, as the page in the iframe should behave differently according to the presence of that sessionStorage variable. – Warrant 16/6, 2023 at 16:25

T

18

OK, I've made a test myself. At least in Chrome (44) and Firefox (40) the sessionStorage is shared among page and the iframes included if they are of the same domain and do not if they are of different domains.

Trehalose answered 27/8, 2015 at 12:27 Comment(1)

On my side, it triggers exception only in private navigation mode (chrome 84) – Trueblood 14/8, 2020 at 11:12

Recommended topics

Hot tags