This question already has answers here:
Get current URL from IFRAME
(8 answers)
Closed 5 years ago.
I'm using iframe to load faroo.com as default src in frame when i search and move to other webpage using faroo.But still in the iframe src its display faroo.com only i wanted to capture url of page that has loaded in iframe
<!DOCTYPE html>
<html>
<head>
<script src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.11.1.min.js"></script>
<script type="text/javascript">
$(function(){
$('#frameid').load(function(){
var z=$('#frameid').attr('src');
console.log('hi '+z);
});
$('#clicked').on('click', function(){
$('#frameid').attr('src', 'http://www.faroo.com/');
});
});
</script>
</head>
<body>
<iframe width="100%" height="500px" id="frameid" src="" name="iframe_a" ></iframe>
<p><input type="button" value="click me!" id="clicked"></p>
</body>
</html>
The o/p at console.log is always faroo.com not the current website that has loaded
For a matter of security you are allowed to retrieve the URL as long as the contents of the iframe, and the referencing javascript, are hosted in the same domain.
Should it be the case, you can do something like:
document.getElementById("frameid").contentWindow.location.href
If the two domains are different then you'll have all the restrictions that apply to the cross-site reference scripting domain. Example:
document.getElementById("frameid").src = 'http://www.google.com/';
alert(document.getElementById("frameid").documentWindow.location.href);
Error: Permission denied to get property Location.href
For sure (except if you find some huge security flaw in your browser) you simply cannot achieve what you need using javascript in the parent document. Let's see with a simple example why. If the browser allowed what you need, you could easily:
Create a page, with a hidden iframe (e.g. http://malicous.com/dont-trust)
In that iframe, open a child page with the login process of some website (e.g. http://insecure-web-site.com/redirectlogin)
If cookies for child are present and under certain circumstances, the page inside the frame will redirect to the real website, proceeding with user login.
From the parent page now you will be able to read all the sensitive informations gone through the login process contained inside the URL, e.g. access tokens, session IDs, ...
At this point the victim website and its users are in front of a wide new set of possible security threats...
Seem likes there is a hack to make this work and I actually can't believe it's even allowed. This is how it seems to work:
1) Change the domain to match iframe:
document.domain = <iframe_domain>
2) Get the URL like so:
console.log($('iframe')[0].contentWindow.location.href)
In my opinion, this should not have worked, but it does. I tested with the following in Safari, Chrome and Firefox all latest version as of 02/01/2017:
Main: http://subdomain.website.com
iframe: http://www.website.com
What do you think? Is this permanently allowed or is it an oversight that will be patched soon?
Update
I started another thread for discussion here regarding browser security.
Isn't This A Serious Browser Security Issue? RE: Cross-Domain iframe Hack
Update 2
Seems like this will always be supported for specific cases.
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Related
I have a webpage (localhost). When I type its URL in the browser I am making it redirect to another webpage using Javascript.
<head>
<script type="text/javascript">
function wa() {
window.location = "http://www.anyWebsite.com";
}
</script>
</head>
<body onload="wa()">
As a result the URL in the web browser also changes. The only thing I need here is that the URL should not change.
You can load the other page into an <iframe> or <frameset> that covers your entire page.
Note that you will not be able to display the other page's title.
Also note that many websites (such as StackOverflow) will prevent this for security reasons.
Simple answer!! Not possible
Page will refresh every time when you will change window.location
Not possible for security reasons, users should see what URL they are at.
There are workarounds though - make an IFrame for the whole page and set the location there or dynamically load the page and update from different location.
I cannot believe I'm about to suggest using iframes, but you're easiest solution is indeed iframes.
Create an iframe that's 100%x100%, and when the window loads set the location of the iframe to your new url. The location bar will (should?) stay the same while the page appears to have moved onto a different location.
iframes: http://www.w3schools.com/tags/tag_iframe.asp
I have an IFrame inside my 1st page that loads another page which I don't want it to be accessed directly. So I thought maybe I can be sure that the 2nd page is loaded inside 1st one if I check the top.location in 2nd page and do as normal if it's equal 1st page URL or remember user as hacker if it's not.
Here is the code:
1st Page:
<html>
<head>
<title>1st Page</title>
</head>
<iframe src="2nd Page" name="frame1" height="80%" width="100%"></iframe>
</html>
2nd Page:
<script type="text/javascript">
if(top.location == "1st Page URL") {
// It's OK, Access is not direct
} else {
// It's not a normal access
}
</script>
It seems that this code will work fine, but I'm not sure if it's foolproof or not. Maybe top.location could be spoofed (like $_SERVER['HTTP_REFERER']) or it's totally unreliable somehow. I need to be sure about that.
Well, you can use JSPs. Have your second page, the one that should never be accessed directy placed in the WEB-INF folder of your project, and then have the main page do a jsp:forward towards that resource. This way the 2nd page can never be accessed directly.
top.location, HTTP referer and everything can be spoofed easily. There is no point of trying to build client-side security checks.
Instead, you should focusing make your code robust using sessions, etc.
This question already has answers here:
Cross domain iframe issue
(5 answers)
Closed 6 years ago.
I am embedding a script via <script src="example.com/file.js"></script> on a domain that does not belong to me. The script outputs a iframe with its src set to a script on my site. I'm also outputting a div tag that contains the iframe (it is not rendered by the iframe but the js file). Now, I want to be able to execute a function that is loaded via the iframe to control the parent div of the iframe OR output the function along with the div tag and execute the function from the iframe. I am getting permission denied errors when attempting to do either. How can I grant permission?
You can't (and then time passes and the answer changes, see the duplicate question).
In short, you can't using the way you posted. The only thing windows (including iframe windows) can do to each other is change the URL / hash. What you can do is:
1) Make an HTML page that checks its hash for commands to run. Put this on SITEA.
2) On your regular SITEA page load SITEB in an iframe.
3) SITEB iframes doesn't have access to it's parent since it's on a seperate domain. However, it can load the page you set in step 1 through an iframe. You can also change the URL on this iframe. This SITEA iframe is allowed to talk and control SITEA parent (through something like window.top).
This may sound confusing but it works and is pretty much the only way to do it cross-browser and in IE6. I've done stuff like this to support ads that expand on the parent site.
I am building a script/application (on client side and on proxy site too) that gathers information about elements from various web-sites.
One last thing that makes me troubles is gathering location of an IFRAME. Let me explain this in more details:
Invariant: Location of IFRAME is not changed via user interaction
Some web-pages uses SRC attribute to define location of new IFRAME - either defined via scripting or manually typed in the source - this is ok (no problem)
Other web-pages uses various techniques how to populate IFRAME dynamically and they do not use SRC attribute of IFRAME - this is ok if location of such IFRAME is inside the same domain, otherwise it is unsafe access to other domain
I will include one example of HTML code:
<html>
<body>
Click here to open an iframe.
<br>
<iframe id="test_iframe" name="test_iframe"></iframe>
</body>
</html>
So if I try by JavaScript this below I will get an empty string.
document.getElementById("test_iframe").src
And if I try to use this below I will get a security error.
document.getElementById("test_iframe").conentDocument.location.href
So my question can be reduced to:
Are there any technique to gather location of such IFRAME which content is outside parent domain and that IFRAME is without SRC attribute?
Thank you very much for your answers :-)
This is called iframejailing. Its not possible to read or alter an iframe element in the page if its pointing to a different domain. Its an inbuilt security feature in browsers.
However, there are certain workarounds for this if the domains in questions can work together to create an iframe proxy (google to get more info), which i feel in this case is not applicable.
Respond back if you have more questions.
I want to track what happens inside an iframe when a user clicks on links in the IFrame. The page that contains the iframe (the parent) is to track the user´s navigation through the page in the iframe. Both pages will be hosted on the same toplevel domain, although the subdomains will differ.
I need the parent page to be notified of every click, but I do not have direct control over the pages I load into the iframe.
Is adding an onclick to all the links whenever the page in the iframe is loaded possible? How would I go about doing this?
This would be the "template" on which to build:
<html>
<script language="javascript">
var currentURL;
</script>
<body>
<iframe id="container" width="500" height="500" src="http://subdomain.parentdomain.com"/>
</body>
Iframe CrossDomain access needs to be the same domain, subdomain, and port.
If you had them on the same domain, you could bind click event handlers on all the links, then when they are clicked log a click to something like google analytics, your database, etc.
I do not have direct control over the pages I load into the iframe
That's your blocker. If you can augment the code within the remote pages, you can use postMessage and the iframe fragment identifier hack to get browser coverage.
Fortunately, someone already did the dirty work for you:
http://easyxdm.net/
http://consumer.easyxdm.net/c/
http://www.codeproject.com/KB/scripting/easyXDM.aspx?msg=3153511
I am going to use an AJAX-Proxy to have the content (as far as the browser is concerned) come from my domain. This will solve all the cross domain scripting issues that CodeJoust mentioned. Speed of delivery might be a problem due to the overhead I will be generating, but that will have to be seen.
I will probably move along the lines of this Stackoverflow Question:
"Apply “onclick” to all elements in an iFrame"
Regarding legal issues pertaining to proxying and changing the content of pages dynamically, it will have to be checked. I believe that tracking users that give their express consent is, from an ethical standpoint, unproblematic.
With jQuery it would be easy.
$(document).ready(function(){
var iframeWindow = $('#container')[0].contentWindow;
$(iframeWindow).load(function(){
$(this).find('a').click(top.myClickHandler);
});
}
function myClickHandler(){
/* Do something */
}