Disable changing URL from IFRAME - javascript

I have my HTML5 games site FunInBrowser.com. I have a list of third party URLs, which should contain HTML5 games. I display those games inside a small IFRAME and put title, description, rating around it. The game may look like this: Connection.
Some guy uploaded his URL, which looks OK, but it changes the top URL from IFRAME. Here it is: Draughts. I didn't even know, that you can have this level of control from IFRAME.
Is there any way to forbid this behavior of IFRAME? I want to keep games in small frame and stay at the same URL.

In html5 you can use sandbox attribute. But not all browsers suppor it. There is a good article about it http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
Browser support table is here http://caniuse.com/iframe-sandbox

You should be able to add an event listener for onbeforeunload to the iframe, which checks the new URL against a list of valid URLs. In the event handler, be sure not to return a string, unless you want the "Are you sure you want to exist this page?" dialog to appear.
I should add, though, that this doesn't prevent his page from overriding the event handler you set up. It should work for your current scenario, but would be pretty trivial for him to work around.

Related

How can I prevent Iframe messing browser's history after interactions with it?

So in my case I use Iframes to attach Grafana to my page (which provides me beautiful and easy to use graphs).
It's possible to notice that Grafana's Iframes triggers a kind of refresh on my Angular page after each interaction of zoom in or zoom out (using mouse clicks) on the graph thus messing broswer's history. I don't see any changes on Iframe's src to justify this page refresh and it doesn't trigger anything apparently (doesn't trigger any onload, for example).
Is this a normal behavior? How can I prevent this?
I am using a scripted dashboard of Grafana version 6.2.2 along with Angular 6.1.
Hoping to help out, some things that I might try in your scenario:
A blank html page with only a grafana Iframe in it. See if it still refreshes the parent page. If not, then maybe the problem is with angular.
You said sandbox breaks the iframe? Maybe play around with different sandbox values. Like allow-scripts and see if it needs one of those values to work
https://www.w3schools.com/tags/att_iframe_sandbox.asp
Maybe try putting the grafana iframe in another iframe. I've never done this before, but maybe it will try to refresh the parent iframe instead of the parent page.
It could be helpful to post your angular html code to the question too. Might be some hints in there.
Without the effective implementation of the iframe is difficult to suggest the best way to act.
The simplest solution that comes in mind is iframe's sandbox attribute:
<iframe src="my_iframe.html" sandbox></iframe>
What's an iframe sandbox ?
The sandbox attribute enables an extra set of restrictions for the content in the iframe.
When the sandbox attribute is present, and it will:
treat the content as being from a unique origin
block form submission
block script execution
disable APIs
prevent links from targeting other browsing contexts
prevent content from using plugins (through , , , or other)
prevent the content to navigate its top-level browsing context
block automatically triggered features
The value of the sandbox attribute can either be just sandbox (then
all restrictions are applied), or a space-separated list of
pre-defined values that will REMOVE the particular restrictions.
Ref: https://www.w3schools.com/tags/att_iframe_sandbox.asp
You can overwrite the <iframe>'s pushState and replaceState functions:
iframe.contentWindow.history.pushState = new Proxy(iframe.contentWindow.history.pushState, {
apply: () => {},
});
iframe.contentWindow.history.replaceState = new Proxy(iframe.contentWindow.history.replaceState, {
apply: () => {},
});

Manipulating/changing adressbar link

I am out of my own "ideas" going through this.
I have a album viewer. When you click next I want the adressbar to hang with it, e.g if you start on ?photoid=1, and click next (next picture appends and stuff), and then i want it to say ?photoid=2.
Now I cant make it say ?photoid=2 without changing/manipulating, and this you cant do without HTML5.
I have made a script in HTML5 that works fine, but then I need to take care of those who dont have HTML5(only chrome, ff4 etc supports html5)
Made the script from this( https://developer.mozilla.org/en/DOM/Manipulating_the_browser_history )
I thought of adding #photoid=2 so, ?photoid=1#photoid=2 and then check if theres anything in # then use that instead of the $_GET.. But apparently you cannot do that as # is client side handled and never sent to the server.
So what should I then do?
Any suggestions please to make a workaround this? I checked facebook, what they did to IE users, and I could hear that it "clicked" (the annoying click sound from IE) twice.. the first was to get to the next picture, the second click sound changed the adressbar?!(how?).
And then I also thought hey, html5 is only supported in ff4, and I got ff3.6, and they manipulate the adress bar url when you browse through the album photos, exactly like how I wanted (and what I have written for but it only works in Chrome and ff4..?). How could they do that?
The hash is the only way to change out the url bar without automatically refreshing the page you're on. That's why it's an anchor tag (the hash) historically. Everything else tells your browser to go to a different page. If you don't want it to forward, throw in a hash and then read that hash with javascript and do what you want that way. It's easy with jQuery, or you could dig into Asual's swf address js library or jQuery's Hash Tag Change Listener plugin if you want to use your browsers back/forward button to go through your history states.
I'm not quite sure if understood your quite right, but here's what I came up with for a similar problem.
Why don't you just set the url by editing the location.hash just like you said to make it look something like this: www.mydomain.com/photos/#photoid=2.
Now when somebody calls this url the browser will try to load www.mydomain.com/photos/ and will get the necessary markup but not the photo and what you can do now is read the location.hash (which will return photoid=2) and load the picture via AJAX by sending a request to the server with a path like "www.mydomain.com/photos/" + location.hash

Make links inside an iframe open in a new window

I'm trying to display an map inside an iframe that has a needle which on mouseover shows some information about a certain company, the thing is once you click the link the page opens up inside the iframe which ruins the experience, so i was wondering is it possible to make the links inside an iframe open up in a new window instead perhaps using jquery or something similiar?
the code i have atm is
http://www.jsfiddle.net/rkd59/1/
Edit: the very least capture a click within the iframe so i might resize the iframe
You will need some kind of open API to do this properly, and Eniro doesn't provide one according to this page (in Swedish).
I would recommend you to use the Google Maps API v3 instead. I've made an example on jsFiddle that looks similar to that of Eniro.
I'll gladly give you more help with this, so just ask away!
You can't (or it is extremely hard to ) make events inside the iframe affect the parent page. This is to prevent attacks from XSS, or cross site scripting. Having said that, if the site within the iframe is on your own domain and you want to set up some extremely tricky ajaxing and php session IDs, maybe you could make something work, but even then I'm not sure. And I don't know if this would be a security hole, maybe someone else can speak to that. It would perhaps look like:
main page sets up session ID and passes that to the iframe url via a get variable
the iframe takes click information and sends it to a Session variable via an ajaxing call to a script on the server.
The main page then reads (how?) the session cookie and makes changes based on it's value.
All in all, you may find that it may be much simpler and more secure to acheive what you want using a different method.
Due this map is loaded inside an iFrame, it's not possible to run any javascript event listeners on the links, neither is it possible to change the html.
Please try the following:
<script>
x=document.querySelectorAll("a");
for(i=0;i<x.length;i++)
{
x[i].setAttribute("target","_blank");
}
</script>
Thus all links open in new frame.
To make a link popup in a new window you would usually use target="_blank" as such:
Go to Yahoo
However this will only work if you can modify the code you're showing within the iFrame
There is a partial solution.
You can add an absolutely positioned DIV tag over the top of the IFRAME and capture clicks on this instead. See example here shaded in 20% alpha red.
http://www.jsfiddle.net/rkd59/6/
However, this means that the map works in "read-only mode" and while you can capture the click event you wont know what link the user has clicked on.

Subscribe to javascript event in an iframe (facebook)

I have an application where I use an iframe for a facebook likebox.
I want to subscribe, in the main page, to the event when the user clicks on the like button in the iframe.
Basically as soon as the user likes the page I want him to be redirected to a page I'll specify.
What javascript command can I use?
Thanks
Unless your parent document is on the same domain as the Facebook Like frame, you can't script into it at all, for security reasons. This is the Same Origin Policy. It prevents you not only from detecting the click but also from impersonating the user, forcing them to perform actions (such as Liking you) without their consent.
You can try to place an element on top of the frame to detect clicks, but by intercepting the click you also stop it going through to the frame. About the best you can do is detect a hover over the area of the Like button and remove the covering element, allowing the user to click. This isn't reliable though since it'll catch all mouseovers.
You can hook this up to the button
onclick = "window.location('www.google.com')"
obviously replacing the URL with yours. But you might want to check if that's legal.

Intercept click on content in an iframe

I have an iframe that references an external URL that serves up pages that contain Flash adverts.
I need to track how often a customer clicks on one of those adverts.
The approach I am taking is to render a div element over the iframe. This allows me to intercept the click event, however I need to pass that click down to the iframe. Is this possible using JavaScript?
No, it's not possible. You can't simulate a real click in javascript, you can only fire click events.
I do not think that it is possible as well
But, assuming that the clicks redirect the user to the site of the advert, you could intercept the user click using redirections. Change the link to some script on your own server with some unique advert id. Register the click and redirect the user to the advertisement page.
Another possibility is to use this technique to load the contents of the iframe, so you known the amount of customers viewed the advertisement. But this of course might be an advertisement scheme your advertisement customer does not like/want.
You can't pass the click through by any legitimate means, and you'll run up against cross-domain problems if you tried to fake it in anyway. And I would definitely stay away from anything that looks like a clickjacking solution - it's bound to stop working (and feels evil too).
You may be able to hack something, depending on how accurate it has to be. This would involve tracking the sequence of events happening when user has put their mouse into the banner area and then left the page (inferring that they clicked on the ad). You'll miss some, and you may catch some false positives too.
It would work something like:
Leave the covering div in place
onMouseOver, hide the div and set an
onbeforeunload event handler that
registers a "click" through an AJAX post (or similar)
when the mouse moves out of the banner area it means they didn't click the ad, so show the div again and remove the event handler
I'd guesstimate you'd get about 80-90% accuracy, but you're going to have to test on a lot of browsers. It's also assuming the ad loads into the same window and not a new one. If it loads into a new one then I think it's going to be even harder.

Categories

Resources