Getting the Document Location from another Window showing another Domain - javascript

I am trying to get window A (on our domain) open window B (another domain, like YouTube) and I want to show the current document location of window B in window A.
As an example, here is some of the code I am using:
var popup;
var popupRelay;
function findPopupURL(){
var loc=popup.document.location.href
$('#popuploc').html(loc);
}
function clickPopupLink(){
var windowProperties='height:500,width:1000,location:1,toolbars:0';//etc etc
popup=window.open('http://www.youtube.com/','popup',windowProperties);
popupRelay=setInterval(findPopupURL,1000);
}
This code generates this error however:
Error: Permission denied to access property 'document'
Unfortunately the work arounds I keep finding requires me to put code on both domains, which is obviously not possible if Im opening somewhere like YouTube.
What I want to know is, is there a way of getting the document location from another window showing another domain? Can it be done at all? And if so, how?

No, it is not possible to spy on what people do on other domains. That is exactly why the Same Origin Policy exists.

Related

Cross-origin security error when moving an application to a subdomain (2018)

Background information: We have a platform which runs on https://system.example.com. This platform consists of 10 separate web applications (all written in PHP and JS). Each application has historically been in a sub-directory within the same subdomain:
https://system.example.com/app1/
https://system.example.com/app2/
...
https://system.example.com/app10/
We are in the process of rebuilding one of the applications, app2, and have decided to host this on a new separate subdomain, https://app2.example.com.
Part of the app2 application uses JavaScript to open a pop-up window for app10. Most functionality inside this popup works as expected. However, when attempting to use a "Save" button inside the popup my browser console was showing:
Uncaught DOMException: Blocked a frame with origin "https://app2.example.com" from accessing a cross-origin frame.
at https://system.example.com/app10/manage.php:1:334
I have read both SecurityError: Blocked a frame with origin from accessing a cross-origin frame and https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage but still unclear as to how to fix this.
The code and process I have is as follows:
The popup is opened from https://app2.example.com by a button which has an onclick event handler:
<button onclick="postToPopUp('https://system.example.com/app10/manage.php', 'fileManage', 'width=800px,height=600px', ['f_id', '123'], 'app2', 'filesCallbackManage')">Open app10</button>
The postToPopup() function is used to pass POST data from app2 into https://system.example.com/app10/manage.php based on Javascript window.open pass values using POST - this works fine.
The problem occurs when I click a "Save" button inside the popup which renders the following markup within the popup window:
<!doctype HTML><html><head><title>upload</title>
<script type="text/javascript" language="javascript" charset="utf-8">
var fileObject = {"files":{"0":{"f_id":"1784","f_title":"test07.pdf"},"f_id":123}};
window.opener.filesCallbackManage(fileObject);
window.close();
</script><body></body></html>
What this did originally - when everything was under the same subdomain - was called a js function filesCallbackManage() which resided in the code for https://system.example.com/app2. The function itself was passed an object, fileObject, which updated various parts of the UI inside app2. The popup was closed after clicking the Save button due to window.close();
Although I've read about using postMessage I don't understand how this fits in or whether this is even the correct solution to my problem? The data is being posted from the subdomain https://app2.example.com to https://system.example.com/app10 correctly. The problem is that filesCallbackManage() won't fire because of the cross origin restriction. Inside my code for https://app2.example.com I have a simple statement to see if it's firing:
function filesCallbackManage(data)
{
console.log('filesCallbackManage has fired');
}
This never fires because of the problem I have. I get the console error mentioned previously and a blank popup window (technically this is correct since there is nothing in the <body> tag in the above markup) but the window doesn't close and the callback isn't fired.
The example given on the Mozilla website isn't extensive enough to understand how it can be adapted to this type of scenario. Please can someone elaborate? Furthermore, the linked Stack Overflow post is four years old so I want to be sure anything I put on this is secure and up-to-date.
The postToPopup() function is used to pass POST data
Submitting a form across origins is fine. So you can do this.
The problem occurs when I click a "Save" button inside the popup
You're trying to access the DOM of the window across origins. This is forbidden.
Although I've read about using postMessage I don't understand how this fits in or whether this is even the correct solution to my problem?
postMessage is as close as you can get to accessing the DOM of a window across origins.
You can't do this.
var fileObject = {"files":{"0":{"f_id":"1784","f_title":"test07.pdf"},"f_id":123}};
window.opener.filesCallbackManage(fileObject);
Instead you have to send a message:
window.opener.postMessage(fileObject, "https://system.example.com");
And have code which listens for it:
addEventListener("message", receiveMessage);
function receiveMessage(event) {
if (event.origin !== "http://app2.example.com") { return false; }
filesCallbackManage(event.data);
}

Javascript - How can I get perfect window object from another server? [duplicate]

I open a website in a new tab through javascript by writing the following code in the browser console:
var win = window.open("http://staging.redefinewebs.in/wildgoose-const/wp-admin/post-new.php", "mywin", '');
Now I want to add text in a field in the newly opened tab. But for that I need the access to win.document. When I write win.document in the console I get the following error:
Error: Permission denied to access property "document"
This error doesn't appear if I open other websites in new tab. So,
How to get access of document object of a window opened in a new tab with window.open?
You cannot access a child window's DOM, if it violates the Same Origin Policy.
You can access the DOM of a child window, only if the following three conditions are satisfied.
Both windows have same protocol (http/https)
Both windows have same host (google.com and news.google.com are different)
Both windows have same port (google.com:80 and google.com:443 are different)
How to get access of document object of a window opened in a new tab with window.open?
If the window is opening a document from a different origin, you don't; cross-origin access is denied by the browser because of the Same Origin Policy. From the error in your question, that would seem to be the case here.
If the window contains a document from the same origin, you can access it as you've shown; but note that it may still be loading immediately after you call window.open and you might need to wait for it to finish doing so, perhaps with the DOMContentLoaded event.

Execute command on another tab

I'm new at JavaScript, so can someone help me? How can I execute a command on another tab? For example, I have opened new tab from my main tab and opened translate.com (just for textbox) on it, and the problem is I don't know how to put text in search textbox?
I open the page with this command:
var page = window.open('https://www.translate.com/');
On the page, I can enter text with this code:
$string1 = $("#source_text");
$string1.val("text");
I have tried this, but this code doesn't work the way I want it to.
var page = window.open('https://www.translate.com/');
setTimeout(function(){page.f1()},20000);
setTimeout(function(){page.close()},30000);
function f1() {
$string1 = $("#source_text");
$string1.val("ka tu");
}
I find the function that you are trying to run very abnormal. So, let's start with small steps.
The page.close() function is perfect you can do that and it works. The other part won't work first of all because the page object created by window.open has no function called f1 on it.
Furthermore it is very important from where you are trying to run the script on the other window you always must take into consideration the cross-origin limitations. Easily explained if you try to run a function from a google.com tab on a separate window yahoo.com it won't work this is a security issue.
In order to run function f1 in that window it is important that f1 function is declared globally and ussualy you try and do this the following way page.window.f1() - and there you have it. So for example your code would be
page.window.$("#source_text").val('something');
refactoring your code would be like this:
var page = window.open('https://www.translate.com/');
setTimeout(function(){ page.window.$("#source_text").val('something');},20000);
setTimeout(function(){page.close()},30000);
open translate.com in a tab open dev tools in chrome and paste the above code in the console tab and see the results, it will work.
I recommend that before running code in another window you should check that that window is loaded first of all (in your case works) because of the long timeout.
A better solution would be using HTML5's postMessage API: check this link here for a good tutorial: https://robertnyman.com/2010/03/18/postmessage-in-html5-to-send-messages-between-windows-and-iframes/ - also this meens of course that the window you are opening is listening for some sort of postMessages.
In general you do this things with hosts that you manage and not other hosts because it might not work always. Also it will always work if you are on a host and open the same host in another window otherwise you end up with this security error: VM88:2 Uncaught SecurityError: Blocked a frame with origin "https://some_other_host" from accessing a frame with origin "https://www.translate.com". Protocols, domains, and ports must match.
Hope this helps, and you understand the way it works now.
Cheers

var myvalue = window.opener.document.getElementById(“parentId1”) is not working

I was trying to get the value from my child.jsp to my parent.jsp using
var myvalue = window.opener.document.getElementById(“parentId1”)
Even though there were no errors found in the console the value is not getting in the parent page.
The child popup window has the url starting like, https://host.example.com:7001/..... and the parent page url is different starts with http://anotherhost:8080/webapp.... is there any issue in communicating with a child window and a parent page which is on another server?
If so how can I solve this issue?
...is there any issue in communicating with a child window and a parent page which is on another server?
Yes, this is prevented by the browser's implementation of the Same Origin Policy.
If you control both servers, look at using Cross Origin Resource Sharing.
Alternately, if you control the JavaScript code on the pages but not the servers (or just if you prefer this mechanism), you can use postMessage to send messages from one window to another. You can't directly access the other window's elements as in your code snippet, but the two pages can cooperate to deliver the relevant value from one page to another, even cross-origin. More on postMessage: MDN | Spec
Unless you can use CORS or postMessage, I don't think you can do it client-side; you'll need a proxy.

Unable to access data from a child window with https url

I have a simple html file. Using javascript I am opening a https link as a child window.
However, if I try to get any data say
var handler = window.open('https://abc.com','newWindow');
var title = handler.window.document.title;
Then it throws an exception saying
Permission denied for http://localhost to get property Window.document from https://abc.com
Can anyone help me out with this.
I don't really know if we are allowed to get data like that or not.
Thanks & Best Regards.
You are not allowed to access data in this way.
If you are a page on hostname A, you can open windows/frames on hostname B, but cannot in any way interact with them - for security reasons. Otherwise, I could open gmail in an iframe and find out your email address from the window title.
This restriction only applies if window A and window B have different hostnames (this includes protocol, host and port). So if you open iframes/windows on your own domain, this is not a problem.

Categories

Resources