Currently I have the document.domain to be www.xyz.com and I wanted to change it to www.abc.com for which I wrote the below code.
document.domain = new_domain // where new_domain="www.abc.com"
Works for all the browsers except IE, where it shows invalid argument error for the above statement
I even tried to use .postMessage but no success.
This seems to be kinda stopper for me to load my iframe which I have already created in the DOM with height and width as 0. And use the below code to set the src
CI_jQuery('#print-frame').attr('srcdoc', data);
CI_jQuery('#print-frame').attr('sandbox', 'allow-same-origin allow-scripts allow-popups allow-modals allow-forms allow-downloads');
where data is the complete html content for the iframe and CI_jQuery = jQuery
Related
I have an sandboxed iframe that doesn't allow changing location:
<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts" class="iframe visible" src="thesource.html" width="100%" scrolling="auto" frameborder="0"></iframe>
If the iframe tries to unframe itself or change location I see a blank page because the browser stops the iframe's operation. This is the log from Chrome:
Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://example.com' from frame with URL 'http://otherdomaian.com'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.
That is great but I want to catch this so if it happens I'll move to the next iframe. So how do I catch this attempt?
EDIT:
I added a jsfiddle code (check the error in the console log)
I also tried to listen for an event with no success:
document.addEventListener('error', receiveMessage, true);
function receiveMessage(error) {
alert("iframe tried to unframe itself");
}
I am new here so I don't have enough reputation to comment on answers and I apologize if I am doing this wrong, but the accepted solution will unfortunately not be able to accomplish what you are looking for.
I was able to demonstrate what I mean by having the script from the JSFiddle above run once the DOM is ready (there will be no alert but still an error in the console). Here's a little more detail on what happens currently with that fiddle:
// running with the No wrap - in <head> option
var frame = document.querySelector('iframe'); // null, the iframe isn't there yet
try {
frame.src="http://wedesignthemes.com/themes/redirect.php?theme=wedding";
} catch(e) {
// TypeError here, no hints about the iframe :(
alert('Error!');
}
The exception that is being caught has nothing to do with the iframe, it is actually a type error from trying to set the src property on a null value.
What you really want to do is catch the error inside of the iframe (when the sandboxed script tries to access window.top), but this is not possible because of the Same-origin policy. Btw, setting the "allow-same-origin" sandbox flag only has any effect when the iframe content is being served from the same origin as the top level document. E.g. as soon as the src or location of the iframe is changed to a different origin, there's no way to touch anything inside.
There are ways to communicate across iframe boundaries, such as with window.postMessage or the older and hackier way of using the iframe's location.hash, but I am assuming you can't affect the source of the page going into your iframe. (A nice developer would of course be open to suggestions and see that a feature like this could be useful.)
The only way that I was able to catch this error without violating any browser security policies was to set the allow-top-navigation sandbox flag and then use the window.onbeforeunload handler in the top level document to catch the navigation attempt from the child iframe. I would never recommend this because the user experience is awful. There is no way to prevent the navigation without prompting the user about whether they want to leave the page or not. Proof of concept below:
<iframe id="myframe" sandbox="allow-scripts allow-top-navigation"></iframe>
<script>
var url = "http://wedesignthemes.com/themes/redirect.php?theme=wedding",
frame = document.getElementById("myframe"),
listener;
listener = window.addEventListener("beforeunload", function(e) {
e.preventDefault();
e.stopImmediatePropagation();
// The iframe tried to bust out!
window.removeEventListener("beforeunload", listener);
return "This is unavoidable, you cannot shortcut a " +
"navigation attempt without prompting the user";
});
frame.src = url;
</script>
So unfortunately I can't find any ways to do this nicely in current browser implementations without help from your 3rd party content developer. I read some interesting things in the HTML5 spec that might allow us to do things like this in the future (and am unfortunately maxed out on my number of links I can insert here), so I would keep an eye out as things progress.
Example:
An with extra restrictions:
<iframe src="demo_iframe_sandbox.htm" sandbox=""></iframe>
the sandbox attribute is supported in Internet Explorer 10, Firefox, Chrome, and Safari.
Note: The sandbox attribute is not supported in Internet Explorer 9
and earlier versions, or in Opera.
Definition and Usage
If specified as an empty string (sandbox=""), the sandbox attribute
enables a set of extra restrictions for the content in the inline
frame.
The value of the sandbox attribute can either be an empty string (all
the restrictions is applied), or a space-separated list of pre-defined
values that will REMOVE particular restrictions.
Differences Between HTML 4.01 and HTML5
The sandbox attribute is new in HTML5.
Syntax
<iframe sandbox="value">
Attribute Values
"" => Applies all restrictions below
allow-same-origin => Allows the iframe content to be treated as being from the same origin as the containing document
allow-top-navigation => Allows the iframe content to navigate (load) content from the containing document
allow-forms => Allows form submission
allow-scripts => Allows script execution
javascript: is a kind of weird URI protocol. It works in some contexts, like , but not all - for instance, a window's location can not be set to such a URI. (While you can assign a javascript: URI to window.location as a really roundabout way of running a script, the window's location doesn't stay set to that value.)
To write content into an IFRAME, get a reference to the frame's document and write to it. Doing so will require that you set the allow-same-origin sandbox flag.
<iframe id="myframe" sandbox="allow-scripts allow-same-origin" src="about:blank"></iframe>
<script>
var frame = document.getElementById("myframe");
var fdoc = frame.contentDocument;
fdoc.write("Hello world"); // or whatever
</script>
Live example: http://jsfiddle.net/wUvrF/1/
You can now do this with allow-top-navigation-by-user-activation
I'm trying to get iFrame sandboxing to work, and Firefox is giving me trouble.
<iframe src="" scrolling="no" sandbox=""></iframe>
I use jQuery to set the iFrame's src attribute to one of several different pages. But my target pages have JavaScript in them that makes them break out of my iFrame. I counter that with the sandbox attribute, which is supposed to prevent JavaScript from running inside the iFrame. This works great in Chrome and Internet Explorer, but in Firefox as soon as I load the target page into the iFrame it takes over the whole window.
Firefox's documentation says it fully supports the sandbox attribute. Am I doing something wrong? Installing NoScript and telling my browser not to run JavaScript from the target site makes everything work fine, but obviously I don't want Firefox users to have to install an addon before my site will work.
If you are manipulating or setting the sandbox attribute after the iframe is in the DOM, it will completely ignore the setting. You must set it before the iframe element is added to the DOM.
I'm trying to access the inside of a dynamically inserted iframe (inserted from a script that was loaded from a different domain than the host page) in ie9 on twitter.com so that i can write content into it. I tried setting the src to both '' and about:blank. Accessing the contentDocument throws an Access denied error, and accessing the contentWindow returns nothing. Why is this and is there a way around it? It works in other browsers, but for some reason is seems that Twitter might be doing something to prevent this and I'm curious as to what it is.
I use the following and I believe it works on all browsers that support iframe.
var iframe = document.createElement("iframe");
document.body.appendChild(iframe);
var iframeDoc = iframe.contentWindow.document;
iframeDoc.open();
iframeDoc.write(html);
iframeDoc.close();
I don't set #src at all.
I want to do redirect a page from an iframe, specifically i want to redirect the top page from an iframe.
so im using:
top.window.location = 'http://xxx'
Its working fine in mozzila or chrome, but in ie i get: permission denied error. I found some infor that this is cross-domain scription problem:
http://www.mombu.com/microsoft/microsoft/t-ie-shows-permission-denied-javascript-error-on-toplocationhre-4565452-last.html
i i dont know how to do it any other way - to redirect parent window to some url from a iframe, wich sits on different url (obviously)
thank for your help...
There is a way to redirect the parent frame cross-domain. It's a trick, actually. :-) It will work if you have access to the server hosting the parent frame.
Inside your frame, create a child frame, too small to be seen, from the same domain as the parent frame. Your little child frame is allowed to change the parent document's location.
Parent:
<iframe src="http://other-domain/doc.html"></iframe>
doc.html
All the stuff from the document...
<iframe width="0" height="0" src="http://original-domain/trick.html"></iframe>
trick.html
<script>
window.location.replace("http://xxx");
</script>
I had the same problem, using:
top.window.location= "http://www.google.com";
and I changed it to:
window.parent.location = "http://www.google.com";
Which solved it for me.
I tried to run a line of code as the following:
document.getElementById('frame0').contentDocument.location.reload(true); to force iframe to refresh or reload but I got the error like "permission denied" in firefox. Does anyone know why? and help to offer a solution? Thanks!
It is probably because of crossdomain issues - looks like your iframes content is from another domain as your mainframe (from which you run your js code). FF is very restrictive concerning crossdomains.
You can't reload a document that comes from a different hostname, due to the Same origin policy, which applies in all browsers.
You would have to remove the iframe from the page and replace it with a new one:
var iframe= document.getElementById('frame0');
var newiframe= document.createElement('iframe');
newiframe.src= iframe.src;
iframe.parentNode.replaceChild(newiframe, iframe);
However this will load the original src of the <iframe>, which won't be the same as the current location if the user has navigated the page since.