I have an HTML page with an iframe included from a cross domain that doesn't belong to me.
I need to do some basic javascript modifications in the iframe (write value and fire up an event -> form processing).
Because of the same origin policy I'm not allowed to do this. However, I need to do it, so I'm searching for a workaround.
The solution is just important that I can run a script for myself. It is enough if it works in one browser and I don't need security for myself.
On my research I have found a lot of ways to break the same origin policy like document.location (in FF only with similar locations), JSONP/sendMessage (I need to be the owner of both domains) and so on, nothing that works with an iframe of a page that doesn't belong to me.
The only "workaround", if you can't make the other site include the relevant CORS headers, would be to fetch the iframe content server side and serve it as coming from your own domain.
The reason there isn't simpler workaround is due to why there is this same origin policy : to protect users.
Related
I have been given an address with a basic HTML structure, it just has some numbers in it. I have tried doing it as an Iframe, if I create a simple HTML that does work fine, but in the page itself if i hover over the iframe it says that it refused the connection.
I have tried with AJAX, but it does give me a mixed content error, since my page where I want the content inserted is secure (https) and the page where the numbers are is not.
Is there any workaround I can do in this case?
Thank you in advance.
this is because of CORS(cross domain access) problem:
if you are accessing the URL on same domain there won't be any problem but if you accessing content of another domain there is security issue.
this is possible only by below concepts:
Enabling CORs - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Image pinging concepts - limited to data size
JSONP
I have a very old site built in ASP .Net 2008 by an external team who I have no contact with. All of a sudden a page doesn't seem to render properly in Chrome and FireFox but works fine with other browsers. The page is set with an iFrame.
Looking under Inspect Element (Chrome) for the page failing to render I see the error
Refused to display 'http://www.example.com/somepage.html' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
So read a few articles and I may not understand this fully but it seems to me the error is, the domain requested will NOT allow itself to be displayed within a frame.
The URL above is not the URL I am familiar with (i.e. its third party, I don't have any control with it). Is there anyway to resolve this or is this purely the owner of the domain would have to allow? IF so why does it work in other browsers?
Is there anyway to resolve this
Not at your end.
or is this purely the owner of the domain would have to allow?
This
IF so why does it work in other browsers?
Speculating a little here, but SAMEORIGIN, SAMEORIGIN is not a valid value. It looks like Chrome is attempting error recovery and treating it as SAMEORIGIN
Quentin answer summaries it well.
In addition, if it is an external site beyond your control, they may have good reasons to forbid framing. (Like preventing click-jacking.)
They may also have included a Content-Security-Policy:frame-ancestors 'self' header which would have the same effect.
(And currently, a bug in Chromium (and Chrome) causes X-Frame-Options to take precedence over Content-Security-Policy while it should not.)
You may hack that if their site is served over http (not https) and you have control of a common network device through which all your users network traffic to this site must go. I mean, on that device, if it does allow you to do so, you may filter out 'undesired' headers from responses of this site.
Of course, this is a debatable hack. Depending on terms of uses of the 'victim' site, it could even be a legal issue to do so.
I want to get the XPATH of an element on a website (my own domain), which I got it using JavaScript code as mentioned in this answer.
Now what I want to click on button which will open a url (cross domain) window and when user click on an element on that window it's XPATH is captured.
I tried doing the same using iframe with no luck.
Now my question is there a way to get the XPATH of an element of another website/ Cross domain?
Sorry this is not possible without cooperation from the other (x-domain) site. Browsers are designed not to allow access to the DOM of x-domain documents (iframe included) for security reasons.
If you had cooperation from the other site, they could load your javascript file and then use postmessage to pass the xpath to the original page.
Other options would be to create a bookmarklet users could use on the other page, or a browser extension (Chrome and FF are pretty easy to develop for)... depends on your use case.
From your comments, I've gathered that you want to capture information from another website that doesn't have Access-Control-Allow-Origin headers that include your domain (e.g. the other site does not have CORS enabled). This is not possible to do cross-domain and client-side due to the Same-Origin Policy implemented in most modern browsers. The Same-Origin Policy prevents any resources on your site from interacting with resources on any other site (unless the other site explicitly shares them with your site using the Access-Control-Allow-Origin HTTP header).
If you want to get information about another site from your site, there is no way around using server-side code. A simple solution would be to implement a server-side proxy that re-serves off-site pages from your own origin, so the Same-Origin Policy will not be violated.
You may get the data using jQuery's load function, and append it to your page.
From there, the DOM nodes from your external page should be accessible for your processing.
$('#where-you-want').load('//example.com body', function() {
console.log($('#where-you-want'))
// process the DOM node under `#where-you-want` here with XPath.
})
You can see this in action here: http://jsfiddle.net/xsvkdugo/
P.S.: this assumes you are working with a CORS-enabled site.
I'm loading a webpage inside iframe of a background page in chrome extension. I need to fetch the content (i.e. DOM) of iframe. I'm getting protocol error. how to overcome this situation, any workaround.
"Unsafe JavaScript attempt to access frame with URL https://swym.3ds.com/ from frame with URL chrome-extension://ohhaffjbbhlfbbpcdcajbkeippadmipk/back.html. The frame requesting access has a protocol of 'chrome-extension', the frame being accessed has a protocol of 'https'. Protocols must match."
I'm trying to implement a desktop notification for the above site, hiding the process from user eye.
I tried using XMLHTTPRequest and Jquery GET, unfortunately my site loading is unstandard, it doesn't work as intended.
Any suggestion on this topic will be very helpful.
It seems you're facing Cross-origin resource sharing issues. Do a quick check for resources loaded with protocols, convert http://www.example.com resources to //www.example.com Also refer MDN CORS Article
Javascript cannot access content on another domain as it poses security risks. If you have control over the domains, you may use postMessage to overcome this. Take a look at this link
We have application hosted "xyz:8080/rootapp" and cometd services hosted on "xyz:9090/cometed". The JavaScript loaded from cometd server needs to access the DOM/JavaScripts loaded from (xyz:8080), the browser's same origin policy is not allowing it.
To overcome it we set 'document.domain' as "xyz" eliminating port. This solution is working well but this is becoming problem to all the iframes loaded by "xyz:8080" and I need to change each and every iframe to use domain as "xyz".
Can someone provide me hints to solve this problem without changing each and every iframe?
Do we have any http header to set domain?
You can use CORS to specify an exception to same origin, this will work in any relatively modern browser.
This page has a fairly good intro and a list of compatible browsers.
The short version is put an Access-Control-Allow-Origin header into the responses from xyz:8080 that contains either xyz:9090 or * (for unrestricted access).