Iframe src cross domain - javascript

I need to display another website in an iframe. I don't need to access anything on this website I'll be displaying. Is this in violation of the cross domain policy? If so, would a proxy bypass this?
I tried a simply iframe with its src set to http://google.com as a test, and it looks like this does violate this policy. How can I bypass this if I don't need to access anything on the displayed webpage.

No, you can access any site through an iFrame.
What is against the policy is trying to manipulate the site in any way and modern browsers won't let you manipulate it anyways.
Google does allow you to get their site through an iFrame, however, they're using code to "break out of frames", so instead of viewing their site through an iFrame, you'll just be redirected to google.com

Ah, I see now that its only the test page I used, google, that forbids this. Other sites are OK.

Related

How pinterest managed to load an iframe on any website when their extension is clicked?

I'm trying to develop an extension similar to that of Pinterest's PinIt extension for google chrome. In general, i know that loading any URL in an iframe which is not from the same origin would result in giving an error "Refused to display 'https://www.someWebsite.com/' in a frame because it set 'X-Frame-Options' to 'DENY'."
However, i do see that Pinterest is loading a URL on any website when using their extension. For Example, i was using the extension on instagram.com (i've used it on other sites as well) and then i took a screenshot of what i could not understand. (Please refer to selected area in DOM)
Can anyone tell me how this can be achieved or probably how pinterest is doing this?
X-Frame-Options dictate which frames can embed the page, not which pages can be embedded in it.
So if, say, https://www.someWebsite.com/ disallows to be embedded, X-Frame-Options doesn't prevent embedding https://www.someOtherWebsite.com/ inside it (if the other website allows it).
However, child-src or frame-src Content Security Policy directive can prevent embedding another page.
In theory, both mechanisms can be be overridden by webRequest API. However:
PinIt doesn't use it, so logically it should fail on some sites.
http://content-security-policy.com/ is an example where it simply fails.
There may be additional countermeasures if you decide to circumvent response headers.
It's a cat and mouse game if some resource is unwilling to be embedded or allow embeds.
By changing CSP headers, you are weakening security considerably for your users.
I finally figured out how to deal with this. I still do not know how exactly pinterest is doing it but i'm sure i'm close to it.
I simply load an iframe in the body of the parent by injecting my own JS to the page.
Then i iterate through all the images available on the page like
$('img).each(function(){
// do my stuff to see if i need this image
// push them in an array (say, var imgArray)
})
var imgToString = imgArray.toString();
var myIframe = document.getElementById('iframe_id').contentWindow;
myIframe..postMessage(imgToString , '*');
And then in the iFrame that i load, i recieve the message and use the images...
So the gist of the whole issue is that postMessage() is my saviour.

Bypassing iframe sandbox?

Someone iframing my website, using
<iframe src="http://example.org" sandbox=""></iframe>
This way, the sandbox attribute prevents my site to use iframe blocker on it. And it can be easily iframed.
Frame buster on my website:
if (window.top !== window.self) window.top.location.replace(window.self.location.href);
Is there a programmatic way to redirect to my site when its being iframed when used with sandbox attribute ?
Iframing can be protected through the X-Frame-Options response header, set either X-Frame-Options value="DENY" or X-Frame-Options value="SAMEORIGIN". Through this response header settings you can protect your website against IFraming or clickjack attack.
Once X-Frame-Options response header is set, browser receives a standard message like "This content cannot be displayed in a frame".
The sandbox attribute is turning off all javascript, amongst other things. This is why your frame buster will not be working, nor any other javascript people have provided.
W3 say of a sandbox:
scripts are disallowed/disabled within the iframe
links to other browsing contexts are disallowed/disabled within the iframe
A test shows that the attribute also disables meta redirects and any standard link which breaks out of the iframe.
With this strictness, I'd be very surprised if a redirect is possible, since that would defeat the point of the sandbox.
The best I can suggest would be to use the noscript tag to display a message to users seeing the page in a sandboxed iframe. You could style that so people can't see your content.
(If it is just one site being a problem, then blocking them with htaccess would probably be a better approach)
I think the best thing you can do is show your own message with a target="top" link. The whole concept of the sandbox attribute is to disallow redirects. There is no way to bypass that and if you ever find one browser makers will probably find a way to stop it. It's clearly their intention.
This is just how the web works. You can't do whatever you want when it comes to browsers.
#SudiptaKumarMaiti's answer of X-Frame-Options works, but is being superseded by Content Security Policy (CSP) Level 2 - specifically the frame-ancestors directive.
To disallow framing completely (similar to X-Frame-Options: DENY), use this HTTP header:
Content-Security-Policy: frame-ancestors 'none';

Xpath of element on another website/cross domain

I want to get the XPATH of an element on a website (my own domain), which I got it using JavaScript code as mentioned in this answer.
Now what I want to click on button which will open a url (cross domain) window and when user click on an element on that window it's XPATH is captured.
I tried doing the same using iframe with no luck.
Now my question is there a way to get the XPATH of an element of another website/ Cross domain?
Sorry this is not possible without cooperation from the other (x-domain) site. Browsers are designed not to allow access to the DOM of x-domain documents (iframe included) for security reasons.
If you had cooperation from the other site, they could load your javascript file and then use postmessage to pass the xpath to the original page.
Other options would be to create a bookmarklet users could use on the other page, or a browser extension (Chrome and FF are pretty easy to develop for)... depends on your use case.
From your comments, I've gathered that you want to capture information from another website that doesn't have Access-Control-Allow-Origin headers that include your domain (e.g. the other site does not have CORS enabled). This is not possible to do cross-domain and client-side due to the Same-Origin Policy implemented in most modern browsers. The Same-Origin Policy prevents any resources on your site from interacting with resources on any other site (unless the other site explicitly shares them with your site using the Access-Control-Allow-Origin HTTP header).
If you want to get information about another site from your site, there is no way around using server-side code. A simple solution would be to implement a server-side proxy that re-serves off-site pages from your own origin, so the Same-Origin Policy will not be violated.
You may get the data using jQuery's load function, and append it to your page.
From there, the DOM nodes from your external page should be accessible for your processing.
$('#where-you-want').load('//example.com body', function() {
console.log($('#where-you-want'))
// process the DOM node under `#where-you-want` here with XPath.
})
You can see this in action here: http://jsfiddle.net/xsvkdugo/
P.S.: this assumes you are working with a CORS-enabled site.

Get innerHTML of iframe loaded in chrome background page

I'm loading a webpage inside iframe of a background page in chrome extension. I need to fetch the content (i.e. DOM) of iframe. I'm getting protocol error. how to overcome this situation, any workaround.
"Unsafe JavaScript attempt to access frame with URL https://swym.3ds.com/ from frame with URL chrome-extension://ohhaffjbbhlfbbpcdcajbkeippadmipk/back.html. The frame requesting access has a protocol of 'chrome-extension', the frame being accessed has a protocol of 'https'. Protocols must match."
I'm trying to implement a desktop notification for the above site, hiding the process from user eye.
I tried using XMLHTTPRequest and Jquery GET, unfortunately my site loading is unstandard, it doesn't work as intended.
Any suggestion on this topic will be very helpful.
It seems you're facing Cross-origin resource sharing issues. Do a quick check for resources loaded with protocols, convert http://www.example.com resources to //www.example.com Also refer MDN CORS Article
Javascript cannot access content on another domain as it poses security risks. If you have control over the domains, you may use postMessage to overcome this. Take a look at this link

Show content from other website and track the URL

On my JSF page I am trying to show some other website in an iframe and show its URL. I understand now that for security reasons I can only access the URL of the iframe if it is showing some site of my domain. So, I've found that problem a lot of times in the internet, but I couldn't find any solution. I don't want to read the content of the iframe, but only the URL.
Is there any solution for this requirement? Using an alternative to iframes? Frameset, browser in browser? Popup?
If you want to stick to the iframe option, I would test to see if the innerhtml of the iframe matches that of the website they are meant to reach. The innerhtml in webkit does seem to change as the user browses.
The only alternative I can think of is http proxying the web sites, changing the links to refer to your proxy, then telling them they win when the requested proxy URL matches that of the destination.

Categories

Resources