Question first:
Is it possible to get iframe contents when it's displaying a browser error document (page not found, connection lost, certificate problem...)?
Problem explained:
I've built a simple form with an iframe inside. This iframe has a simple file upload form that works great in every test I have done. BUT the form is meant to be used inside a company's network and some users are reporting random problems when sending the iframe upload form from inside the network. I suspect that they are receaving lost connections because of internal network malfunctions and the iframe gets blank after sending (because the size is too small to display the error document and scrollbars are disabled).
As I'm not able to reproduce the errors I need to debug the process with Javascript, logging what is loaded inside the iframe after an error occurs to a user.
Actually I use jQuery to retrieve iframe's content:
$("#iframeid").contents().find("body").html();
Works great when retrieving a regular html document but not when trying to retrieve a browser error document. In this case I get the error:
Permission denied to access property "document"
Why is this happening? Because of same origin policy? Is there any way to override this?
Why is this happening? Because of same origin policy?
Yes.
Is there any way to override this?
No.
The browser does not allow you to read the contents of an internal document, like a 404 page. You will want to configure your webserver or fastcgi to return a soft 404 page which would allow you to view the contents of the iframe.
Related
I'm trying to create an Iframe overlay for a PDF document. The document is in the same domain in folder 'static', I can render he in an iframe, but I am not able to get the HTML structure inside, when I try to access, the cross-origin problem fires.
Uncaught (in promise) DOMException: Permission denied to access
property "document" on cross-origin object
The selected area is a div I am trying to get
Line 28 is where the error fires
I found this bug/issue in Bugzilla (Bugzilla error 911444). At this moment I'm trying to make this solution only for Firefox, because the other browsers render the PDF in Iframe differently.
In all sites I read about problems with cross-origin, everything is about to access a document who is outside my domain, but in this case he is same domain.
This is some bug or some misunderstanding of mine?
As you don’t have a code example here I’m guessing your loading the pdf directly into the iframe. When you do this the content of the iframe is not a html page so can not be accessed via JavaScript.
The solution is going to be to create a small html page that uses pdf.js to render the pdf. You will then be able to access the iframe.
In our web app/site, I need to use an iframe or a popup window to validate if the current token is valid and refresh it if no.
So, I create an iframe, and set the property 'src' to the validation link such as "https://<domain_name>/auth?client_id=xxx" which is different to our app domain https://<app_domain>. and the return value will like "https://<domain_name>/code=yyyy"
document.createElement('iframe');
and I added the message handle for the web app/site, like
window.addEventListener("message", this.messageHandler);
in the messageHandler, I will check if the message is from a specified website, and then validate the "code" value, blabla, etc.
But when running in Chrome, I always got the error
"Blocked autofocusing on a element in a cross-origin subframe."
what confused me is:
it always failed when running in the Chrome browser, but it can work fine in Firefox and Edge chromium.
I tried to set iframe.sandbox = "allow-forms allow-scripts allow-same-origin", the problem still existed.
If the validating token failed in iframe or timeout, I will create a popup window to continue validating and refresh the token. But every time, using popup window can always succeed. If it is really a cross-origin issue, why using iframe failed but using popup window succeeded.
I didn't use window.postmessage. because I don't know how to pass the return value of iframe/popup-window to the main page.
I used CORS extension of Chrome or using parameter --disable-web-security when launching Chrome. the problem still existed.
when I created the iframe or popup window. it is very simple, I just set the iframe.src property, there is no element being created.
any help will be much appreciated.
p.s.
I refer to the following doc:
Blocked autofocusing on a form control in a cross-origin subframe
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Support for iframes in web development will only get worse over time as they are a security black hole, browsers are gradually over time locking out features and use of them.
I am assuming you are doing this because you are validating a user on a third party service, validating by watching the response of a third party service website?
Without knowing the service you are using I cannot comment specifically but for anyone looking to do something similar I would highly suggest not doing this:
As mentioned, iframes are constantly having features locked down due to security concerns
An attacker could change the source of the iframe and submit their own iframe to look like it has been correctly validated
It's unlikely that the page you are using as your iframe src is intended for this use, which will come back and bite you when the 3rd party developer changes how their page behaves, which they likely will do without knowing it's going to break your application
I recommend:
Finding a stable API the 3rd party service offers and using that
Finding another service if none exist
Apologies to rain on your parade!
I disagree that iframes are a security risk, rather they can be if not implemented properly.
How to implement them properly should be asked in another question and probably starting with a carefully implemented Content Security Policy as a priority.
I also use iframes within a Chrome extension that has to pass rigorous Google security.
As for the question, I've noticed that error too and I am focusing on an input box when the iframe is loaded and the focus works! I put it down to being a Chrome bug as the warning suggests it has stopped auto focusing when it hasn't.
As for the un-related point about passing the value back to the parent holding the iframe, I can help you with that, but you should ask it in a new question.
Disable some feature of browser setting
Browser Changes
chrome://flags/#cookies-without-same-site-must-be-secure
chrome://flags/#same-site-by-default-cookies
chrome://flags/#enable-removing-all-third-party-cookies
Above URL just paste it and disabled it. Then ok and relaunch the browser.
Then done it.
According to this article on MDN, using postMessage to pass messages to and from a content script in chrome is not secure because can't properly define a source property, and that it's targetOrigin is difficult to securely pass to a potentially malicious site. Is this still true. Are there any other ways to confirm the source of a received message, and to only send messages to a specific content script exclusively? Or are there any alternatives to using content scripts altogether?
The "chrome" in the article on MDN does not refer to "Google Chrome", but to extension code that runs with Chrome privileges (look here for other meanings of "chrome" in Firefox).
In Google Chrome / Chromium, content scripts run in a different environment than the web page (that means that window in the content script is different from window in the web page).
However, when you send a message from the content script to the page, event.source will be identical to the window of the page. So, to verify that the message was really sent from a (content) script within the same page, you could use if (event.source === window) { ... }.
If you want to send a message to another content script (in the same tab), then you have two options:
If the frames are located at different origins, or if the content scripts are located in different tabs, then you have to send a message to the background page, which in turn passes the message to the target content script using the Chrome extension message passing APIs.
If the communicating frames are located at the same origin, then their variables can directly be shared without using the message passing API. Refer to their window objects using top, parent, <HTMLIFrameElement>.contentWindow, frames[index], etc.
Another (hackish) way to get a message from the one content script to another is through the chrome.storage API. At the receiving end, bind a chrome.storage.onChanged event. To "send" a message, use chrome.storage.local.set. Don't forget to remove the key-value pair once you have (not) received the message.
I've made a site which handles online credit card payments. As part of the payment process an iframe is required on my site which works with an external security service to validate credit card data. I need to pass specific information to this iframe which it will use in a form post. I do this from my site by calling a function on this iframe, as follows:
var frame = window.frames["SecureFrame"];
frame.SetInnerFormValues(...);
This works fine in my dev environment. However, my site also needs to be run as an iframe on any client sites. So in the end, the client site will have an iframe pointing to my payment interface, which has a iframe pointing to the secure service. Both of these iframes are of course using SSL.
This seems to create an issue with the multiple nested frames on the client side. (Well, Chrome works fine, but Firefox doesn't)
When an end user is on a client site, an error occurs when my JS code above is executed. Firefox throws an error saying "TypeError: frame.SetInnerFormValues is not a function". I tried executing some code in the JS console to attempt to get to this SetInnerFormValues function on the secure frame, but all I'm getting is "Error: Permission denied to access property '...'" when just trying to access anything on my own site first.
Please, Ninja's of SO, I need your help!
Since the iFrame is loaded from another website, you can't do regular javascript function calls on it. That would be cross-site scripting (XSS). You need to set up an interface on your server that responds to SSL-secured (https:) POST requests to keep your users' information safe.
I am getting an error when my app is being embedded in an iframe that reads
Permission denied for https://myapp.com to call method Location.toString on http://otherhost.com
I am not getting a stack trace, line number, or file where this occurring in any of the browsers. How could I figure out where this problem is coming from?
This error is happening because of the same-origin policy. You can't run any Javascript from a non-extension source inside of a cross domain iframe. That is, an Iframe that is from a different domain than the main page's.
I determined that this error was coming from some JS tracking code that was including some flash to do it's tracking inside the iFrame, turned off the flash portion and this error disappeared