Use an iFrame without session or cookie data (incognito) - javascript

If you use an iFrame element in an HTML document, the child page will load with all of the session and cookie data from the browser.
For example:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Stack Overflow in an iFrame</title>
</head>
<body>
<h1>Stack Overflow in an iFrame</h1>
<iframe src="http://stackoverflow.com" width="640" height="480" />
</body>
</html>
Ignore for a moment that SO doesn't actually allow itself to be loaded in an iFrame. If it did, the SO page loaded by the iFrame would show you as signed in.
How can I use an iFrame without any cookies or session data? (like incognito mode in Chrome)
Why?
My company sells a product (web-app) for people to build customized websites with. When they are authenticated, and they visit their website, we show them the auth'ed version of the UI so that they can edit the content. Un-auth'ed users only see the static website. Using multiple browsers or clearing cookies is not a reasonable expectation of our users so we want to show a preview of their site to them in an iFrame so they can see what their visitors would see. We also want to show "mobile" previews of the site with smaller resolution iFrames so that they may see what their visitors would see if they came to the website on a phone. These iFrame(s) need to be loaded without access to the browser's cookies or session data so that they load in un-auth'ed mode, just like Chrome does in incognito mode.
I haven't tried anything yet because I don't know where to start. I did find out that HTML5 added some sandbox attribute values to the iFrame element, but none of them seem to help with this problem. Maybe something could be done with JavaScript, we do already use jQuery in our project.
Note: We aim to only use valid HTML5

If you fully control the webstack wouldn't it be easier to add a preview parameter that treats the user as unauthenticated?
For instance:
<iframe src="http://stackoverflow.com?preview=1" width="640" height="480" />
Followed by bypassing your authorization checks if the preview flag exists.

Related

How to fix an error of website iframe?

When I go to this url : (warning: some Ad-blocker is recommended)
https://openload.co/embed/M4pSomdJWME/?c1_file=http://tugaflix.com/legendas/716bac991518958ad95df18200c906c3.srt&c1_label=Legenda
The web-page link loads fine, without errors.
However, when I try to load same page via iframe in my html code, an error appears:
My html code :
<html>
<head>
</head>
<body>
<iframe width="600" height="700"
src="https://openload.co/embed/M4pSomdJWME/?c1_file=http://tugaflix.com/legendas/716bac991518958ad95df18200c906c3.srt&c1_label=Legenda">
</iframe>
</body>
</html>
Below image: Error result within my iframe. How to fix such error?
If you're willing to design/code your own player interface then one loading option is to use a <video> tag instead of via <iframe> tag...
<video width="640" height="480" controls crossorigin="anonymous">
<source src="https://oload.stream/stream/M4pSomdJWME~1508775093~213.205.0.0~IzmpIUe0?mime=true" type="video/mp4">
</video>
I'm not going to tell you how to steal access any video by code, but some advice is:
1) You can see in the source code that a server 1508775191~213.205.0.0 is accessed for media files including subtitle VTT file). Study rest of source code. Consider why token is mentioned and why referrer is checked. What can you do pass and get same access?
2) By using your browser's Developer Tools (especially "network" and "console" tabs), you can find the related https://oload.stream/stream/ url for any future updates or alternate embeds.
PS:
"but, this tugaflix.com/Episodio?E=2310910&S2 website is using that iframe"
Look at source code of: http://tugaflix.com/Episodio?E=2310910&S2/
You will see that no iframe is mentioned or used... They are even using two different player interfaces so you cannot assume that tugaflix.com is loading this page https://oload.stream/embed/M4pSomdJWME within some iframe. They are instead accessing the MP4 video file from some server calledhttps://lemonade-fruit.fruithosted.net/
The target site has code that prevents it from being shown in an Iframe. Unfortunately you will not be able to use that url in an Iframe.

Block javascript disabled users from wordpress site

I am having a huge problem. I need to prevent access to non javascript users for a page on my website. I am not very technical when it comes to websites, hmtl or java ect. But I have a page that i would like non javascript users to not be able to access. I have tried lots of code from here in my header and footer such as
<noscript>
<meta http-equiv="refresh" content="0; URL=nojs/index.php">
</noscript>
but it does not work.
To put this into more detail my problem is that a host a webpage with a list of download links. There is an app (web browser) for amazon devices (android) that accesses webpages and allows you to download but it comes with javascript disabled by default.
This means that my Ads dont show and i am now getting 40TB a month bandwidth usage from people using this software which means i may have to pull the site soon as it costs more to run than the ads give back.
I think i need to either block non javascript users. Or is there a way i can make my links on that page in javascript so that none javascript users cant see or use them?
In an ideal world i would just like to display a message saying please enable javascript in settings but i have tried many header codes with no success. Any help here greatly appreciated
I tried using the meta tag inside the noscript tags like you did, and it worked fine for me. Try using an absolute link to your nojs page instead of the relative one you have. I don't know of a way to completely block nonjs users. Another option would be to use the noscript tags to hide the content of your html pages when js is disabled. This won't completely disable nonjs users from seeing your pages since if they are tech-savy they could use inspect-element to unhide the page content, but for the most part it should do a good job of preventing nonjs users from viewing your page. You can also include a no script alert. For example:
<!DOCTYPE html>
<html>
<head>
<title>
</title>
<noscript>
<style>
div.content {
display: none;
}
</style>
</noscript>
</head>
<body>
<noscript>
Please enable Javascript to view this Page
</noscript>
<div class=content>
Page Content Here
</div>
</body>
</html>

Javascript/DOM not detecting new HTML

I'm working on a private Chrome extension that injects some code into specific websites. I am successful for all except THIS 1 website (which I cant provide you with login access, sorry).
My extension doesn't detect the new(most) of the html content being loaded on the page after navigating through the site only.
For example, when I run document.documentElement.innerHTML; the return string is only the barebones of the page.
The site is using JQuery and I do have JQuery also loaded in my extension, but it still doesn't want to read any elements. The elements do show up in Developer Console but NOT on the Source Page or Frame's Source Page
I really need access to those Elements but I can't figure it out.
Any help is appreciated.
Thanks a bunch.
EDIT: Turns out nothing was working because all the new content was being loaded into an iFrame. Now I have to research iframes :(
This is what the code in the developer's tools looks like
<html>
<iframe src="..." >
#document
<html>
<div id="im trying to get">this content</div>
</html>
</iframe>
</html>

Disable flash on our website and in iframe

How can I disable flash from running in an iframe on my site?
We have a website where we give the user the option to view their site in an iframe on a makeshift mobile simulator. We wanted the user to see that their website doesn't look so great, but this doesn't work as intended for many reasons. I doesn't take into account meta-view port settings etc, but I'll figure that out later. The other problem is the flash works and don't want it to, so that they see that it wont run on iOS.
With the new HTML5 iframe sandbox attribute you can disable all plugins (including flash) in supported browswers by including the sandbox attribute. For example:
<!DOCTYPE html>
<html>
<head>
<style>iframe{height:9000px; width:100%;}</style>
</head>
<body>
<iframe sandbox="allow-scripts" src="http://www.adobe.com/software/flash/about/"/>
</body>
</html>
Will not display the flash animation, or version information. But the same code without the sandbox will:
<!DOCTYPE html>
<html>
<head>
<style>iframe{height:9000px; width:100%;}</style>
</head>
<body>
<iframe src="http://www.adobe.com/software/flash/about/"/>
</body>
</html>
Update - please see Rick's answer
The current HTML5 way is to use sandbox="allow-scripts" - this is explained in Rick's answer.
You can't control iframes on another domain from your site.
You can't run any scripts on them to remove/alter flash because of the same origin policy.
It's a security issue - imagine you could include and manipulate iframes. I could include an iframe containing http://nouveaus-bank.com and simulate events entering amounts and transferring money to my account in it.
There was an "allow-plugins" proposal for iframe sandboxing but it was rejected.
Your only option would be using a proxy on your site and putting it on your domain instead, or manipulating it on the server-side. If you can ask clients to include a code snippet on their side you can do a .postMessage and intercept it on the iframe asking it to remove the flash.

adding an iframe to facebook does not work anymore since ~2 weeks

I'm writing a firefox extension to read out the privacy settings of a facebook user. (not a facebook app!!) To switch between different websites of facebook I used iframes, but this isn't working anymore. I have this problem since 2 weeks.
$('#globalContainer').append('<iframe id="reusable_iframe" src="" width="90%"
height="400" name="reusable_iframe"></iframe>');
//....
$('#reusable_iframe').attr('src', link);
I'm follow the Same origin policy and it was working just fine since a 2 weeks!? an example:
var link = "http://www.facebook.com/editprofile.php?sk=basic";
Now I just get a blank iframe :(
the funny thing is, that if I add "http://www.youtube.com/embed/Qi_AAqi0RZM" or "http://trololololololololololo.com/" to the iframe it's working without a problem... :/
did facebook change the rules for own links in iframes? Is there a workaround? Is there an other way for me to scan different sites with firefox-extensions? i would prefer to stay with content-scripts....
Edit: This is how it looks at firebugs... also funny is that the facebook page http://www.facebook.com/undefined is working however!?
<iframe id="areusable_iframe" width="90%" height="400" name="areusable_iframe" src="http://www.facebook.com/">
<html>
<head>
</head>
<body>
</body>
</html>
</iframe>
Facebook sends the following response header to the browser:
X-Frame-Options: DENY
This cause all major browsers (even IE8 and higher) to prevent showing it inside frames.
The old way was "frame buster" using JavaScript forcing the page to open as the top window, but it's very unfriendly so it was replaced by this header in most modern websites that don't want to be displayed in frames.
Not much you can do though, sorry.
The "undefined" page is just blank content which is their 404 custom error page as it does not contain the above header, it can be displayed inside frame.
To learn more about the X-Frame-Options header see this documentation.

Categories

Resources