I'm loading an external domain site in an iFrame. I'm trying to monitor any url changes within that I frame and its location. I know there is a restriction with 'Same Origin Policy'. In chrome I can left click on an iFrame and select "view frame source" to view the html and other data. Is there anyway to do this with javascript in conjunction with Chrome?
I tried to monitor the url through iframe.src however that property does not update on url change.
This is the iFrame I am using. Which I can view a change event via an onload function.
<iframe src="https://en.wikipedia.org/wiki/Porsche_911" frameborder="0" onload="monitor ">
https://codepen.io/anon/pen/xWaGNx?editors=1111
This is not possible unless you have some kind of CORS (Cross Origin Resource Sharing) arrangement with the source domain (they would need to white list your domain in the appropriate HTTP header).
CORS prevents access to the content of documents that come from another domain. This is for security reasons. Otherwise, what would prevent you from framing the secure login page of some bank, but modifying the code on it to send you the access details?
Related
Can I embed a Microsoft Teams video meeting into my website using an iframe or other technology?
When I tried, I got this error:
Refused to display 'https://teams.live.com/' in a frame because it set
'X-Frame-Options' to 'sameorigin'.
Can it be cheated somehow?
No you can't. The error message is telling you exactly why not: Microsoft have set a HTTP header in the Teams site which instructs the browser not to load the page into any kind of frame unless that frame is within the teams.live.com website.
The MDN documentation for X-Frame-Options says
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites
This is not something you can override - if you could, setting the header would immediately become completely pointless, since anyone with malicious intent would simply choose to ignore it.
Good day everyone.
So I have a website and I am trying to embed in an iframe a dynamics server and it keeps throwing an error something about
'Refused to display https://XXXXXXXXXXXX in a frame because it set 'X-Frame-Options' to 'deny'.
Any ideas how I can get it to work?
This happens when we try to redirect the page to a login page.
Thanks
Check X-Frame-Options hearder:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Based on the above statement, this is something that the 'https://XXXXXXXXXXXX' has added to the page to disallow it from being used as an <iframe>
You can see that this can even be configured globally on a web server level, to secure all the websites.
If the website is in the same domain the workaround is easier using SameOrigin value.
If you want to allow all, then just don't set the response header for the XXXXXXXX site at all (if you have access to it).
This MSDN article explains that READS are not permitted by the same-origin policy.
Specifically, it says:
Webpage from Origin A:
May include (execute) a frame pointed at a HTML page from “B”
Must not be permitted to get the inner HTML of that frame
How can another html file be "included (executed)", without the content of it being accessed?
What does "included (executed)" even mean in this context?
This is referring to the fact that the user viewing the page can see the content of the iframe, but scripts running on the framing page cannot access the content of the framed page. Consider analogously that an <img> tag will show an image from any origin to a user, but scripts within the page that contains the <img> tag might not be able to read the contents of the loaded image.
This is important because the framed page is from a different origin and was fetched using the user's cookies from that origin. Suppose the framed page was mail.google.com: certainly I don't want any random webpage to read the contents of my inbox simply by loading it in an iframe. However, merely showing the page to me, the user who happens to be logged in to my mail service, is harmless.
I have a top page which contains an iframe with untrusted content. I am hosting the untrusted content on a domain that I control, and can (in theory) make changes to it. Short of analyzing the source code with something like Google Caja, is there any way that I can prevent the untrusted content from navigating the frame itself to other URLs? (or ideally restrict it to the trusted domain)
Related, but not quite:
Only addresses anchor tags, not navigation in general
Lots and lots of webpages talking about sandbox with "allow-top-navigation". Doesn't help because I want to restrict navigation of the frame itself
Background: My goal is to allow untrusted content to run in the iframe and to pass some user data to it, but I don't want the untrusted content to turn around and send this data to a 3rd-party. (The content will be allowed instead to postMessage any results to an API exposed by the parent window.) Content Security Policy HTTP headers on the untrusted content allow me to restrict all manner of network requests except navigation.
I randomly saw this new Content Security Policy option hinted at on MDN (with a little flask on it, so may still be experimental...)
navigation-to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
I'm loading a webpage inside iframe of a background page in chrome extension. I need to fetch the content (i.e. DOM) of iframe. I'm getting protocol error. how to overcome this situation, any workaround.
"Unsafe JavaScript attempt to access frame with URL https://swym.3ds.com/ from frame with URL chrome-extension://ohhaffjbbhlfbbpcdcajbkeippadmipk/back.html. The frame requesting access has a protocol of 'chrome-extension', the frame being accessed has a protocol of 'https'. Protocols must match."
I'm trying to implement a desktop notification for the above site, hiding the process from user eye.
I tried using XMLHTTPRequest and Jquery GET, unfortunately my site loading is unstandard, it doesn't work as intended.
Any suggestion on this topic will be very helpful.
It seems you're facing Cross-origin resource sharing issues. Do a quick check for resources loaded with protocols, convert http://www.example.com resources to //www.example.com Also refer MDN CORS Article
Javascript cannot access content on another domain as it poses security risks. If you have control over the domains, you may use postMessage to overcome this. Take a look at this link