I'm loading a webpage inside iframe of a background page in chrome extension. I need to fetch the content (i.e. DOM) of iframe. I'm getting protocol error. how to overcome this situation, any workaround.
"Unsafe JavaScript attempt to access frame with URL https://swym.3ds.com/ from frame with URL chrome-extension://ohhaffjbbhlfbbpcdcajbkeippadmipk/back.html. The frame requesting access has a protocol of 'chrome-extension', the frame being accessed has a protocol of 'https'. Protocols must match."
I'm trying to implement a desktop notification for the above site, hiding the process from user eye.
I tried using XMLHTTPRequest and Jquery GET, unfortunately my site loading is unstandard, it doesn't work as intended.
Any suggestion on this topic will be very helpful.
It seems you're facing Cross-origin resource sharing issues. Do a quick check for resources loaded with protocols, convert http://www.example.com resources to //www.example.com Also refer MDN CORS Article
Javascript cannot access content on another domain as it poses security risks. If you have control over the domains, you may use postMessage to overcome this. Take a look at this link
Related
So I am going to be brutally honest about my motive. I am using one of the many video streaming sites out there...it has great quality content, however it has tons of popups and it doesn't work when my ad-blocker is on.
I have been trying to disable the ads when I load the page, but I am unable to set values of the attributes inside of the iframes.
I can select the iframe itself using:
window.frames[x]
However once I try and do anything example
window.frames[1].getElementByClassName('classname').length
I get an error in the console log that says
Uncaught DOMException: Blocked a frame with origin
"http://url.com" from accessing a cross-origin frame.
Any suggestions on how I can circumvent this? I have seen similar posts, but most people are trying to interact with the iframe they are using on their own sites, I want to use a chrome extension to inject the js onload for the site I am accessing.
I imagine the reason I cannot do this has to do with security restrictions, but I figured it was worth a shot asking.
The only way to do this is to setup your own local proxy server and use that to inject your JavaScript into their page.
I want to get the XPATH of an element on a website (my own domain), which I got it using JavaScript code as mentioned in this answer.
Now what I want to click on button which will open a url (cross domain) window and when user click on an element on that window it's XPATH is captured.
I tried doing the same using iframe with no luck.
Now my question is there a way to get the XPATH of an element of another website/ Cross domain?
Sorry this is not possible without cooperation from the other (x-domain) site. Browsers are designed not to allow access to the DOM of x-domain documents (iframe included) for security reasons.
If you had cooperation from the other site, they could load your javascript file and then use postmessage to pass the xpath to the original page.
Other options would be to create a bookmarklet users could use on the other page, or a browser extension (Chrome and FF are pretty easy to develop for)... depends on your use case.
From your comments, I've gathered that you want to capture information from another website that doesn't have Access-Control-Allow-Origin headers that include your domain (e.g. the other site does not have CORS enabled). This is not possible to do cross-domain and client-side due to the Same-Origin Policy implemented in most modern browsers. The Same-Origin Policy prevents any resources on your site from interacting with resources on any other site (unless the other site explicitly shares them with your site using the Access-Control-Allow-Origin HTTP header).
If you want to get information about another site from your site, there is no way around using server-side code. A simple solution would be to implement a server-side proxy that re-serves off-site pages from your own origin, so the Same-Origin Policy will not be violated.
You may get the data using jQuery's load function, and append it to your page.
From there, the DOM nodes from your external page should be accessible for your processing.
$('#where-you-want').load('//example.com body', function() {
console.log($('#where-you-want'))
// process the DOM node under `#where-you-want` here with XPath.
})
You can see this in action here: http://jsfiddle.net/xsvkdugo/
P.S.: this assumes you are working with a CORS-enabled site.
What I want to do is open an iframe, pointing to another website, and then submit a form on that website.
This is obviously cross-origin, so Chrome (and I assume other browsers) doesn't allow me to do stuff to the contents of the iframe, once it's loaded.
So I've tried doing it in a Chrome extension. I'm getting a similar error:
Uncaught SecurityError: Blocked a frame with origin "chrome-extension://amnacjaocbabmgfjcbmgbhikfedaanmo" from accessing a frame with origin "http://www.example.com". The frame requesting access has a protocol of "chrome-extension", the frame being accessed has a protocol of "http". Protocols must match.
Any suggestions on how to make this work? I can post more details on my current method, if necessary. But, I'm open to other suggestions (e.g. opening a new tab and doing the work in there, etc.). Anyone know of something that will work without getting some kind of security error?
EDIT: So far the best solution I've come up with is using a background script to open a new tab, and use content scripts to manipulate its content. It would be really nice if I could just load the page into an iframe, and then send content scripts just to that iframe, but I haven't figured out how to do that.
In the page header of your embedded page, include the following header:
X-Frame-Options: ALLOW-FROM www.example.com
This bypasses at least Chrome and Firefox. Your mileage may vary on IE.
I need to display another website in an iframe. I don't need to access anything on this website I'll be displaying. Is this in violation of the cross domain policy? If so, would a proxy bypass this?
I tried a simply iframe with its src set to http://google.com as a test, and it looks like this does violate this policy. How can I bypass this if I don't need to access anything on the displayed webpage.
No, you can access any site through an iFrame.
What is against the policy is trying to manipulate the site in any way and modern browsers won't let you manipulate it anyways.
Google does allow you to get their site through an iFrame, however, they're using code to "break out of frames", so instead of viewing their site through an iFrame, you'll just be redirected to google.com
Ah, I see now that its only the test page I used, google, that forbids this. Other sites are OK.
We have application hosted "xyz:8080/rootapp" and cometd services hosted on "xyz:9090/cometed". The JavaScript loaded from cometd server needs to access the DOM/JavaScripts loaded from (xyz:8080), the browser's same origin policy is not allowing it.
To overcome it we set 'document.domain' as "xyz" eliminating port. This solution is working well but this is becoming problem to all the iframes loaded by "xyz:8080" and I need to change each and every iframe to use domain as "xyz".
Can someone provide me hints to solve this problem without changing each and every iframe?
Do we have any http header to set domain?
You can use CORS to specify an exception to same origin, this will work in any relatively modern browser.
This page has a fairly good intro and a list of compatible browsers.
The short version is put an Access-Control-Allow-Origin header into the responses from xyz:8080 that contains either xyz:9090 or * (for unrestricted access).