Today, I was starting to build a trading tool. Luckily, TradingView.com gives you free access, where you can embed charts legally on your website via iframes.
I planned to select a stock symbol within the iframe (see picture: left corner "BTCUSDT") and read the chosen symbol name via javascript. For example, when I choose "BTCUSDT" (or Bitcoin) I want to fetch this value, so I know which cryptocurrency I want to order by using another API service. I found out that "for security reasons" this is not possible.
However, in the picture you can see that iframe elements can be easily accessed by hand. So, why can't we read them out from javascript as well? What kind of (effective) security breach would that be?
Well... I can understand that some people might use this for evil phishing purposes but will this effectively stop them? They might use a proxy or other workaround for that. On the other hand, only reading a simple value for a tool meant to be embedded cross-site makes it more complicated than it should be.
Python has a beautiful library called "BeautifulSoup". Here you can enter a URL, and it reads all the DOM elements from a website. I don't understand how this is possible in python but restricted in javascript.
I have found no reasonable answer or solution for these kind of scenarios. If this is meant for higher security, there are many ways to read out those values other than relying on javascript. So why restrict them?
Aucun commentaire:
Enregistrer un commentaire