Is it possible to somehow, using javascript or other methods, to set http request headers in an iframe?
Basically, i need to embed a external website into an existing webpage using an iframe. Both pages are authenticated using the same domain, and i am trying to avoid forcing the user to login twice. Both the parent webpage and the external website are running https, and they both accept the basic authentication header as login methods. So, i was thinking if there is a way to take the header from the main page, and pass it on to the iframe?
The main webpage also allows me to get the basic authentication header using javascript, so i don't need to get the header from the parent request, i just need to be able to inject a header into an iframe before loading it.
You are not allowed to modify the content of other sites through an iframe because of the same-origin policy. A better option would be to use ajax to load the pages and then display them to the user without using an iframe.
More resources:
https://en.wikipedia.org/wiki/Same-origin_policy
https://www.w3.org/Security/wiki/Same_Origin_Policy
Related
I have a peculiar use-case where I want to prevent an iframe from communicating.
Parent page is of xyz.com/index.html
Frame source is abc.com/widget.html
Once loaded, xyz.com/index.html communicates some information to the iframe. Iframe uses that data to construct a personalized UI.
Is there a way I can ensure that the iframe is not sending anything back to any server?
sandbox attributes cannot be used as they don't prevent usual get requests.
Is there anything which can be done here?
I have an iframe that loads an external page, that needs to be logged to make appear what I want. Actually, if i set the iframe the normal way, the iframe loads the external-domain-login page. What I actually have is something like this:
What I need to do is to set some cookies for that source to make pretend the external domain I'm "logged". That can be done (or what I think this can be done) is setting to the request the cookies that the login response gave me.
I'm actually able to get those cookies, but don't know how to set them to the URL from the iframe.
Thoughts?
Thanks!
If the iframe is on a separate domain, you can't access it directly via javascript from your other domain so you won't be able to directly transfer your cookie from domain1 to domain2 using javascript.
If you control code in both domains, then there are some workarounds. Here's one method that uses a single place to login and the login credential is transferred via URL parameters: Cross Domain Login - How to login a user automatically when transferred from one domain to another
You could conceivably use the URL transfer mechanism by logging in on the first domain and then setting the .src URL in the iframe to have the login credential in the URL. When the second domain loaded in the iframe, it would see the login credential in the URL, grab it, turn it into a cookie value that it wrote on itself and the refresh itself (thus now looking logged in). You will obviously need to control javascript in both domains to use either of these techniques because one domain's javascript can't put a cookie into the other domain directly.
Another way that two cooperating domains can communicate is with window.postMessage() so the login credentials could be sent to the iframe window. It's javascript would have to receive the message and turn it into a cookie and then refresh it's page so that the server saw the login cookie on the 2nd domain.
we have a html page with a iframe in it on our server, the content of that iframe is from another domain. When client side view this html page, they can right click on the iframe to view the sources, but how can we code to access to that code from the outside..
You can't spy on the data that your visitors get from other sites.
If you know the URI they are visiting (which is only possible for the initial page specified by the src attribute (because you decide that that is)), then you can make an HTTP request from your server (the specifics of how you do that depends on the technologies available on your server). That will get you the content of the page (but not with the user's credentials).
Basically my application is in a social network where in my application's page they create an iframe with their (not mine) URL to "renderer" which then takes (don't ask how) my code (html, js) and places in the body tag of this iframe.
Since I need to be able to run the iframe's JavaScript functions I decided not to create an another iframe with my application URL, but with ajax calls just load my application's content in the body of their iframe. This way I could be able to run their JavaScript functions. If I would create my iframe within their iframe then I couldn't run them because of the cross domain stuff, right?
However when I perform ajax calls with jQuery to my application they are performed from the social network (since the iframe is their, just my body code) and thus no session cookies which are saved on my application domain are available for the ajax calls from this iframe.
What I think is I need to create an iframe (dooh) within the social network's iframe, but how to overcome the cross domain issues to access the JavaScript functions in the parent iframe?
P.S. Sorry for the long explanation. Wanted to make it clear for everyone.
There is no way to read a cookie from another domain.
Either the AJAX is failing because you are using XHR and you are getting blocked by the Same Origin Policy. Or, you are using JSONP, and the cookie is not being set.
If you are using XHR, switch to JSONP.
Using JSONP you won't be able to set cookies. JSONP just loads a script by setting the src of a script tag, and cookies can't be set in this way (nevermind that they can't be set from another domain).
You'll have to manage state manually by passing the session id with each JSONP request.
I have an application where I am displaying some stuff in javascript modals using jquery.
It requires the user to login for certain flows; but the user never leaves the modal.
So here is what we do currently.
During user flow if the user needs to be logged in, we hide the current div and show a login div
Keep a hidden iframe with Source link as that of our SSO server.
Once user submits the form, we submit the hidden iframe to the SSO server
If user gets logged in we proceed with the flow.
Problem is when there is error logging in. We need to get the error codes from the hidden iframe of the page; but because we don't control the content inside iframe, and it's returned by SSO server; we don't know how to read it since it's cross domain.
Any insights?
So long as there is not client side script being executed from the SSO party you do not need the iframe. The point of using an iframe for security is to prevent AJAX methods from ignoring single origin policy and circumventing SSL encryption. The answer is to remove the iframe. Request the SSO data from the server side and send it to the client from your server as the page is built.
You can't get around x-domain restrictions unless you use the jsonp protocol.
Could the user simply see the error response on page? Why do you have the iframe hidden atm?
Are you trying to silently log in the user to another system using the iframe technique?
Even though that might work on most browsers - some browsers won't pass cookies in i-frames - making this approach not a good broad audience solution.
Let me know if I can clarify.
Use JSONP to callback the function you prevented in your website, then in the iframe, you just need to invoke the javascript function: "parent.callback()".