There is an iframe on my site which is hosted on another domain. It can communicate to the main site via window.postMessage. I do have a button on that iframe which calls a JS method on the main domain, which then triggers a new window.
It all seems good but since the user click event is generated on the iframe domain and window is created on the main domain, browser thinks that this is an automated popup, and blocks.
Is there anything I can do to prevent browser from blocking the window?
since that is browser based you cannot overwrite browser settings. But you can use javascript "modals" which are very useful since they are not pop-ups but they don't have the functionality of an pop-up
Related
Is it possible to force a pop up to open in an iframe where the action to open the pop up has taken place?
I have a VueJs Application that displays a website inside an iframe and don't want the application to open new windows. But it is also not acceptable to just block all the popups with sand boxing, as some contain critical functionality.
Thus i am looking for any way to "force" target="_blank" onto the link on the webpage.
I know that there is no standard way to do so, but would be open for any suggestion on how to alternatively solve this.
Maybe there is a way to disable the browsers ability to open new windows and hijack the calls.
Looking forward to your answers.
That capability is all or nothing, mostly. Since it's a different site in the iframe, you likely don't have access to the iframe content and so can't control the links in it.
iframe has a sandbox attribute to which you could add the allow-popups option
allow-popups: Allows popups (such as window.open(), target="_blank", or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
As in:
<iframe ... sandbox="allow-popups"></iframe>
There's also:
allow-popups-to-escape-sandbox: Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
allow-modals: Lets the resource open modal windows.
I wrote a chrome extension which injects a toolbar on top of sites (say amazon.com) as an iframe at the top.
When the user click on the action button on the toolbar (inside iframe), it's basically a form submit action, with action pointing to my full site (on another domain).
It's working, however only inside the iframe. I'd like the whole page to redirect to my site, rather than the iframe.
Is there anyway to do that in extension?
If you are using an iframe :
Same Origin Policy prevents you from doing this.
Unless you can hack/XSS the other site's files to inject the JS, you will have a hard time.
Now if you legitimately need to communicate with the other page, and you either have control of the other page or can setup it to communicate with your server, you can use window.postMessage, JSONP or even Ajax with CORS (latter 2 will be harder to pass dynamic content though). But I believe it is not the case.
else :
you can directly inject the js script in to the page itself by that you can handle all operations in the main page same as running something on chrome console.
I'm using a bookmarklet that lets me share the current URL on Google Plus.
Here's the JavaScript:
javascript:(function(){var w=480;var h=380;var x=Number((window.screen.width-w)/2);
var y=Number((window.screen.height-h)/2);
window.open('https://plusone.google.com/_/+1/confirm?hl=en&url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title),'','width='+w+',height='+h+',left='+x+',top='+y+',scrollbars=no');})();
Is there a way to detect the "Sharing Successful" event and call a window.close()? And where do I call it in this JS? Even a pointer in this direction will be appreciated.
Is there a way to detect the "Sharing Successful" event and call a window.close()?
No you can't.
Browser security prevents you from using Javascript on one page to interact with another page on a different domain. This is why I can't put up a website that opens your bank's website in an iframe and then controls it.
The Javascript in a bookmarklet is considered to be part of the page that is open when you execute it. So the code becomes part of the page you are adding to Google Plus, and it can not interact with the page from Google because it is on a different domain; and vice versa. The code can open the window, but that is all.
To do what you want would require creating an add-on, extension, or user script.
I'm using Google search in a page, and it shows up in an IFRAME. However, when you click on a link in the search, it's leaving my site and redirecting to that other site. Is there a way to intercept that call with jQuery and make it open that link in a new window, instead?
Due to security reasons, what you can do with an iframe is very limited (In cases where you frame another domain).
The way this is implemented varies a bit from browser to browsers but most browsers won't let you manipulate the data in the iframe.
To my knowledge this isn't possible, assuming you are refering to an implementation of http://www.google.com/cse/
We have an application that reconstructs external web sites in an Iframe from within our domain so we can use tools that run in the browser to inspect the external website. This is an unavoidable requirement since we need to gather information about the external page using JavaScript. If the page were not reconstructed from within our domain, we would run into cross site scripting issues.
The problem is that the scripts on some pages redirect out of the iframe, which stops our tool from working.
My query is whether there is a way to allow the scripts to run within the iframe, but not to affect the page that contains the iFrame?
Hope that makes sense - thanks!
No I do not thinks so.
If the Iframe is loaded from the same domain any script will have full access to the page.
The redirect out of the page you refere to is the page protection from Hijacking where another site tries to use the page contents.
By ridirecting out of an iframe they avoid that.
You could try using a separate window (window.open) to load the reconstructed external sites instead of an iframe. As long as they are at the same domain, they'll still be able to communicate, but the child window won't be likely to mess with your main window.
Alternatively, your outer window can do nothing, and be at a different (sub)domain from your control window. Your control window is an iframe in your outer window, and the reconstructed external site is another iframe sharing the same domain as your control frame. Now if your 'external' iframe tries to do something with window.top (besides navigate) it will fail because of the cross-domain policy, but your control iframe will share the same domain as your 'external' iframe, so you can inspect and manipulate it.
If you use the second approach, frames will still be able to navigate the top window. You can prevent it by adding something like this in the top window:
window.onbeforeunload = function(){return '';};
Now you'll be prompted with a dialog box if anything tries to navigate the page, and you can abort navigation. This will probably fix your current approach by itself, but it may be best to have the top window at a separate domain in case the external site tries to do anything unexpected with it.