Is this denied by the browser? Is it possible?
If so, are that browser bugs that allow it to happen? I noticed this:
How can you close these bugs and prevent them from working on your website? Can I detect if someone is trying to execute javascript from another domain?
Thanks.
Javascript is executed by the browser, not the server. If a user wanted to, they can execute javascript on a website without an iframe. (Type
javascript:alert('hello');in the address bar).You can not stop this, because it is being executed on the client, not on your site itself. Design your site in a way that no matter what they do with javascript, it can not affect the integrity of your site. Use server-side authentication and sessions, sanitize your database input, and do not do any security-based operations on the client side.