Maintain redirection inside iFrame - javascript

I am building an application where I want to load a page from another server into my page. The particular page that I'm pulling data from depends on a query that is being run (with OAuth access) on that foreign server. Once I get the URL for that page, I am loading it in an iFrame and displaying it on my page.
The problem is, the URL that the query gives me is actually to a page that forwards three times before getting to where I actually want to go. To make things more complicated, it also has frame-buster code on the initial page. I set my page to redirect to a page that returns a 204 status on page unload so as to beat the frame-buster, but now it's just stuck displaying the initial blank page instead of the content I want, which is at the end of three redirects.
My initial idea was to try to capture the code for the outgoing location request on page unload. I had hoped to be able to see where the user is being redirected to and load that request inside the iFrame instead. Repeat three times to get the correct page in the iFrame. Intuitively, however, this felt like it shouldn't be able to work, and of course it does not because letting pages see where their users are going to upon leaving a site would be a major privacy issue.
Next, I was thinking that maybe I could just parse each new page in turn as it was loaded into the iFrame to find the script for the redirect. I'm pretty sure it's done on the server side, however, since looking at the code I was getting didn't turn anything up.
I started looking for ways to maintain that redirection inside the iFrame. That is, allow the redirect to occur, but force it to stay inside the iFrame while also preventing the frame-buster code from doing anything. This would be the easiest solution, but I can't find a good way to do it. Right now, I just have a blank page loading inside an iFrame, and I think there's something on the server side that performs the redirect that isn't running in the iFrame. The frame buster code only prevents the entire document from changing, not the iFrame. Is there a good way to do this or am I going about things the wrong way?

To prevent the frame buster, from here:
<script type="text/javascript">
var prevent_bust = 0
window.onbeforeunload = function() { prevent_bust++ }
setInterval(function() {
if (prevent_bust > 0) {
prevent_bust -= 2
window.top.location = 'http://server-which-responds-with-204.com'
}
}, 1)
</script>

load the first page via curl locally, strip the busting code, make all links absolute and display that in the iframe.
it should redirect as espected and do your merry thing.
Good luck making all the urls in the document absolute. Dont forget javascript urls and functions you might need to override by pasting in your owncode after the script tags.

Related

Chrome Extension Detect if User Logged in To Any Website in Content Script

Doesn't have to be in the content script. I'm wondering if there's any way to check if say a person is logged into like their bank website as I do not want the content script to do any processing on that for privacy reasons. Is there any easy way to do this without reloading the page. If not what's the easiest way to do this with reloading the page without cookies and comparing htmls?
I need to find if they're logged in on their bank or facebook or anything to disable the script. I do not care if the content script didn't run at all on pages in login areas. I've thought about various ways to detect members area, which all require a reload of the page and come with caveats:
Fetch page again using ajax without cookies if possible, to compare with the existing html of the page to see if it's the same. (tricky to send ajax without cookies, deleting and restoring cookies may disrupt user session).. also still requires a reload.
Creating an incognito window to fetch again without logging in and compare htmls (but this doesn't work in firefox as incognito is upto the user, it's also a bit annoying)
Load into iframe (can't do this either as iframes force load the images too)
Check if any logout link exists on page. I was doing this before and it does work most of the time actually but many sites have the logout links hidden in the dom even if it's not logged in. I suppose there may be a way around this if I detect actual style properties. It also doesn't work if the logout link is an icon or something so it's not ideal.
Any other ways to detect if they're in a members area or something?!
I was doing this to refetch it without cookies but it forces images to load as I have to insert it into the Dom to load the url in iframe:
function createframe(url) {
let iframe = document.createElement("iframe");
iframe.setAttribute("src", url);
iframe.sandbox = "allow-scripts";
}

Reloading Website without stopping JS code

I am trying to run a JS script on a website (not my own) and I want it to refresh the website, in order to check for updates. However, I have only found code online for reloading the entire page (location.reload(true), etc...), which clears any code that I have running through the console. I am new to JS so is there any way to refresh a page and keep the JS code running? Also might there be a way to only reload load a certain portion of the page?
Basically,
Reload website without stopping code
Using jQuery you can easily load any part of a page from a URL using AJAX. To fill the body element with the contents of a URL:
$('body').load('/page');
Your URL can respond with the segment of HTML you want to render, or you can request a full web page and grab just the segment you want buy adding a selector:
$('body').load('/page body');
The page isn't technically refreshed, just the HTML content inside the body (or whatever element you select) is replaced. Any previously loaded header content like JS remains and keeps running.
There is no way to actually refresh the entire page without stopping the execution of the JavaScript code.
For doing updates on the page there would be two possibilities:
Use of AJAX (Asynchronous JavaScript and XML) to check for new updates on the page. There are some very good tutorials out there on the internet – just google »AJAX JavaScript«.
Use of IFRAME. Make a page and stuck all the stuff in it and then put that page in an iframe and then reload the iframe instead of reloading the entire page.
Hope I could help you.

How can I get links to a redirect page to show up in the browser's history?

A website contains a "random" link, which loads a url that returns a 307 redirecting to the url we want. It works fine: click it and you load a random page. The problem is that each time you click it, the browser assumes you're loading the same page: so if you're on the homepage, then you follow the random link 5 times, then you press back, you'll be taken all the way back to the homepage, with no way to find the random pages you were just looking at. I want to modify this behavior so that users can access previous random pages via the back and forward buttons.
I don't own the website, so I can't just change the redirect code.
Here's what I've tried, all of which has failed.
Predicting what would be redirected to. While somewhat possible, there would be no way to avoid failure in up to .1% of clicks, and it would react very poorly to unexpected events, like a page that's published a day late, let alone a sit structure change.
Loading the 307 page via ajax. The request stops at readystate == 2 and I can't access the location header.
Cancel the click event and instead set location.href = random_link.href. This has no effect - the new page still doesn't go into history.
Have the new page call history.pushState. This successfully adds the page to history, but I can't find a way to distinguish between new pages and ones being opened via the back button, so the history quickly becomes very corrupted.
Keeping my own history in localStorage. As above, I can't tell when the back button is being used.
I'm working on a solution that I'm pretty sure will work, involving loading the page in an iframe over the existing page and using a background process and messaging to work around the fact that content injections from chrome extensions can't access window.parent from within iframes. And using the history API to reflect the current iframe's URL in the address bar, and get the back and forwards buttons to apply to the current iframe where appropriate.
While I'm pretty sure the last solution can be made to work, it's a hideously complex and heavyweight approach to what seems like a simple problem. So I thought I'd ask you guys before I continue: any other ideas?
Have you tried storing the locations in localStorage, then hi-jacking the back button ?
I am sure you know how localStorage works, for hi-jacking the back button you can refer to this : Is there a way to catch the back button event in javascript?
T.

Cross-domain and iFrames

I am trying to something I really can't figure out. I have an iFrame loading some content from another domain on which I have no power. What I am "simply" trying to do is fetch the content of the iFrame to use it in PHP/Javascript. This is where I faced the "cross-domain" problem. I am unable to access the content of the iFrame. So frustrating.
So I read, and read some more and seen about the "postMessage()" function provided by HTML5. I saw a solution with this system, but I still can't figure one point. Basically, it works with a sender and a listener. So I need to have a listener in the iframe that, when triggered, will send the content back to the main window.
But HOW do I add some code in the already loaded iFrame without deleting the content ?
I don't really need to use postMessage(), I can be anything as long as I can get this damn content !
Any suggestion is appreciated !
Thank you !
This is still not possible and for good reason!
To read from another domain using the client's cookies, IP and credentials requires the page being viewed to expose the information somehow - It's a 2-way conversation with the Listener (Outer page) and Sender (IFrame) working together.
A reason this is required: Imagine making an IFrame that takes up 100% of the page. You could show a common website's login form in the IFrame and yet intercept keystrokes/input box changes and log them. The user would only know the difference if they checked the URL.
If you have control over the browser of the user, you could use GreaseMonkey's cross-domain AJAX to get the contents of the IFrame (Assuming Firefox/Chrome)
Wont something like this help:
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
//Do whatever you need with the content
}

Force iframe to Load Full Frame

I have an HTML page (say welcome.html) which contains an iframe to a page I have no control over (say app.html). The user performs some actions using the app within the iframe and clicks submit. Once they do this, they are taken to a new page (say thanks.jsp), which loads within the iframe. Is there a way in which I can force thanks.jsp to load in the full frame and not the iframe once submit is clicked? Remember, I have no control over the logic behind that Submit button or app.html. I do however have control over welcome.html and thanks.jsp. If possible, I would like to stick with HTML and/or JavaScript. Thank you in advance.
You probably want to use a framebuster, with a base target in case it fails.
First:
If thanks.jsp is requested via a post request - redirect so it you present the page as the response to a get request.
Then:
Include framebuster JavaScript:
<script type="text/javascript">
if (self != top) { top.location.replace(location); }
</script>
Finally:
In case the user doesn't have JavaScript enabled, make sure they don't stay in the frame any longer then they have to:
<base target="_top">
On thanks.jsp you can put in the following JS:
// Parent window not the same as this one
if (self !=top)
{
top.location.href = self.location.href;
}
This will work provided that you have thanks.jsp on the same server as the original page containing the frame, due to the same origin policy.
The above code checks the url of the page you're on, then the one of the page it's executing on (thanks.jsp) - if they don't match you're sent to the thanks.jsp url. This method works fine when thanks.jsp is a static page, but won't carry postdata etc across with it.

Categories

Resources