I have a flash game from another website iframed on my site.
I want to prevent users for leaving my site when clicking a banner inside the flash game that redirect to another website.
I tried the sanbox thing but didnt work.
is this possible since the iframed content is a flash game?
Since the iframe is cross domain there isn't really anything you can do unless you have access to that server. Check out CORS(Cross Origin Resource Sharing), but I think even that will only get you as far as XHR requests go. It still wouldn't allow your scripts to access the contents of the iframe unless it is hosted on the same domain.
Related
I want to set the SessionStorage of an iframe which is located on my page. However, the site in the iframe and my site have different domains. How can I handel that?
Thanks in advance ! :)
If the iframe embed a content that have the same origin has your host website, they will share the same session storage.
If the iframe don't have the same origin as your host website, but you have control over it, you can maybe implement something with the postMessage API, to communicate with your iframe.
If the iframe don't have the same origin as your host website, and you don't have control over it, you can't modify it's session storage for security reasons.
Take a look at this SO thread: sessionStorage in iframe for more info.
I have a web page that will be embedded in iframes on multiple domains. I need to determine which domain is embedding my content.
document.referrer doesn't work, because I need the parent window, not the home page of the site or the page last visited prior to navigating to my page.
I don't have any control over the sites that are embedding my content.
Because of abuse over the years Web-browsers & servers have added security.
One of them being is preventing an iframe from accessing the parent Domain unless it meets the SAME ORIGIN POLICY.
https://en.wikipedia.org/wiki/Same-origin_policy
Now the HOST which your website will be embedded can allow access your to access the parent host. Something called CORS for short.
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Also check out.
https://en.wikipedia.org/wiki/Web_Messaging
Hope that answer your question some.
I'm trying to develop an extension similar to that of Pinterest's PinIt extension for google chrome. In general, i know that loading any URL in an iframe which is not from the same origin would result in giving an error "Refused to display 'https://www.someWebsite.com/' in a frame because it set 'X-Frame-Options' to 'DENY'."
However, i do see that Pinterest is loading a URL on any website when using their extension. For Example, i was using the extension on instagram.com (i've used it on other sites as well) and then i took a screenshot of what i could not understand. (Please refer to selected area in DOM)
Can anyone tell me how this can be achieved or probably how pinterest is doing this?
X-Frame-Options dictate which frames can embed the page, not which pages can be embedded in it.
So if, say, https://www.someWebsite.com/ disallows to be embedded, X-Frame-Options doesn't prevent embedding https://www.someOtherWebsite.com/ inside it (if the other website allows it).
However, child-src or frame-src Content Security Policy directive can prevent embedding another page.
In theory, both mechanisms can be be overridden by webRequest API. However:
PinIt doesn't use it, so logically it should fail on some sites.
http://content-security-policy.com/ is an example where it simply fails.
There may be additional countermeasures if you decide to circumvent response headers.
It's a cat and mouse game if some resource is unwilling to be embedded or allow embeds.
By changing CSP headers, you are weakening security considerably for your users.
I finally figured out how to deal with this. I still do not know how exactly pinterest is doing it but i'm sure i'm close to it.
I simply load an iframe in the body of the parent by injecting my own JS to the page.
Then i iterate through all the images available on the page like
$('img).each(function(){
// do my stuff to see if i need this image
// push them in an array (say, var imgArray)
})
var imgToString = imgArray.toString();
var myIframe = document.getElementById('iframe_id').contentWindow;
myIframe..postMessage(imgToString , '*');
And then in the iFrame that i load, i recieve the message and use the images...
So the gist of the whole issue is that postMessage() is my saviour.
I am working on adding a new functionality to our web application. For this I have to load a web page from a seperate domain in an iframe in my web page and intercept all the HTTP calls made by the iframe in the javascript of my web page.
Can you please let me know how I can achieve this? I googled for this but couldn't find much information about this.
You cannot spy on a user's activity on other domains using an iframe. Browsers forbid it.
Imagine if I did that to your bank's website!
If you have the cooperation of the other site then you can communicate between domains, through frames, using postMessage.
A browser extension can ignore these restrictions (since it has to be installed by the user)
On my JSF page I am trying to show some other website in an iframe and show its URL. I understand now that for security reasons I can only access the URL of the iframe if it is showing some site of my domain. So, I've found that problem a lot of times in the internet, but I couldn't find any solution. I don't want to read the content of the iframe, but only the URL.
Is there any solution for this requirement? Using an alternative to iframes? Frameset, browser in browser? Popup?
If you want to stick to the iframe option, I would test to see if the innerhtml of the iframe matches that of the website they are meant to reach. The innerhtml in webkit does seem to change as the user browses.
The only alternative I can think of is http proxying the web sites, changing the links to refer to your proxy, then telling them they win when the requested proxy URL matches that of the destination.