I want to set the SessionStorage of an iframe which is located on my page. However, the site in the iframe and my site have different domains. How can I handel that?
Thanks in advance ! :)
If the iframe embed a content that have the same origin has your host website, they will share the same session storage.
If the iframe don't have the same origin as your host website, but you have control over it, you can maybe implement something with the postMessage API, to communicate with your iframe.
If the iframe don't have the same origin as your host website, and you don't have control over it, you can't modify it's session storage for security reasons.
Take a look at this SO thread: sessionStorage in iframe for more info.
Related
I have a web page that will be embedded in iframes on multiple domains. I need to determine which domain is embedding my content.
document.referrer doesn't work, because I need the parent window, not the home page of the site or the page last visited prior to navigating to my page.
I don't have any control over the sites that are embedding my content.
Because of abuse over the years Web-browsers & servers have added security.
One of them being is preventing an iframe from accessing the parent Domain unless it meets the SAME ORIGIN POLICY.
https://en.wikipedia.org/wiki/Same-origin_policy
Now the HOST which your website will be embedded can allow access your to access the parent host. Something called CORS for short.
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Also check out.
https://en.wikipedia.org/wiki/Web_Messaging
Hope that answer your question some.
I'm going to have several iframes on my page and I'm going to quite intensively use sessionStorage inside them. What I'm curious about is if I will have separate storages or one shared for all iframes? How do the size limits apply?
If sessionStorage is shared depends on the iframe's page and it's origin, which is the domain part of the URL. If you have a webpage at http://myserver/test.html and it is including http://thatserver/some.html via an iframe, the iframe's page has the domain thatserver. Thus the origin differs and the sessionStorage won't be shared. But if the iframe's page is http://myserver/some.html it has the same origin and therefore will share the same session storage.
Now there is an additional trick: The sandbox attribute for the iframe. If you write <iframe sandbox> without the value allow-same-origin the content of the iframe gets a unique origin. That means it would get a different sessionStorage regardless of the real origin that page has. You can write <iframe sandbox="allow-same-origin"> to sandbox the content AND let the content of the iframe to have the same origin (but only if if does have the real same origin).
Now special notes: sandboxed iframes won't support localStorage per spec. And in webkit-browsers and mozilla firefox an exception will be thrown if the sandboxed iframe content will try to access sessionStorage.
OK, I've made a test myself. At least in Chrome (44) and Firefox (40) the sessionStorage is shared among page and the iframes included if they are of the same domain and do not if they are of different domains.
I have a flash game from another website iframed on my site.
I want to prevent users for leaving my site when clicking a banner inside the flash game that redirect to another website.
I tried the sanbox thing but didnt work.
is this possible since the iframed content is a flash game?
Since the iframe is cross domain there isn't really anything you can do unless you have access to that server. Check out CORS(Cross Origin Resource Sharing), but I think even that will only get you as far as XHR requests go. It still wouldn't allow your scripts to access the contents of the iframe unless it is hosted on the same domain.
I'm loading a webpage inside iframe of a background page in chrome extension. I need to fetch the content (i.e. DOM) of iframe. I'm getting protocol error. how to overcome this situation, any workaround.
"Unsafe JavaScript attempt to access frame with URL https://swym.3ds.com/ from frame with URL chrome-extension://ohhaffjbbhlfbbpcdcajbkeippadmipk/back.html. The frame requesting access has a protocol of 'chrome-extension', the frame being accessed has a protocol of 'https'. Protocols must match."
I'm trying to implement a desktop notification for the above site, hiding the process from user eye.
I tried using XMLHTTPRequest and Jquery GET, unfortunately my site loading is unstandard, it doesn't work as intended.
Any suggestion on this topic will be very helpful.
It seems you're facing Cross-origin resource sharing issues. Do a quick check for resources loaded with protocols, convert http://www.example.com resources to //www.example.com Also refer MDN CORS Article
Javascript cannot access content on another domain as it poses security risks. If you have control over the domains, you may use postMessage to overcome this. Take a look at this link
I need to display another website in an iframe. I don't need to access anything on this website I'll be displaying. Is this in violation of the cross domain policy? If so, would a proxy bypass this?
I tried a simply iframe with its src set to http://google.com as a test, and it looks like this does violate this policy. How can I bypass this if I don't need to access anything on the displayed webpage.
No, you can access any site through an iFrame.
What is against the policy is trying to manipulate the site in any way and modern browsers won't let you manipulate it anyways.
Google does allow you to get their site through an iFrame, however, they're using code to "break out of frames", so instead of viewing their site through an iFrame, you'll just be redirected to google.com
Ah, I see now that its only the test page I used, google, that forbids this. Other sites are OK.