I know this has cross site scripting limitations however I was wondering if there is a way to do this...
I have a customer who uses a 3rd party website to present surveys to users. The survey site does provide iframe code to include on your site so you can present the survey to your users from your own site. The customer wants to capture some data when the user clicks the submit button within the iframe. I don't need access to any form fields within the survey I just need to some how define an additional custom event in javascript that gets fired when the submit button is clicked in the iframe. Is this possible? How?
Thanks!
There is no way to do this due to the cross site scripting. If you had access to both the iframe content and the outer frame then you could have used events to communicate between the two. But of course you have no control over the iframe content.
If you had access then you could have post a message to get access to the events. Here is a plugin. http://benalman.com/projects/jquery-postmessage-plugin/
No. You cannot reach the DOM in the IFrame at all.
The short answer is: no. Not unless both scripts are on the same domain, for as the reason you identified: security reasons.
See http://softwareas.com/cross-domain-communication-with-iframes.
Related
I'm currently building a service in which I need people to be able to submit a form, through an iframe which they'd have on their own site, however I need it to only be from the domain listed in their User model.
I know this is possible, however I need a solution whereby users cannot edit any JS to allow it to work on a domain that it shouldn't (through inspect element etc.).
Anyone got any solutions? Any help at all greatly appreciated.
You can't access the parent page from an iframe unless both the iframe and the parent are on the same domain.
My website offers rich content to users. I often subscribe to third party vendors whose content I embed in my pages. How can I safely embed external domain's content on my webpage in an iframe without worrying that they won't be able to bust out of frame. They won't do it purposely (without risking their clientage/reputation). However, since they almost always are small shops, they become a juicy targets for an attacker who wants to deface/redirect my website.
I am not asking how can I prevent an iframe to access parent frame's DOM, which I know it can't. I am asking how can we prevent an iframe to stop doing something like the following (which doesn't require access to parent's DOM):
top.location=url
Is there a header (something similar/opposite to X-Frame-Options) which I can use on my parent page to ensure that the iframes I embed can't bust out? Remember, I can't ask vendors to add headers/scripts to their pages. They never purposely want to do nefarious things to my page. The scenario I am trying to cover is the one when they get hacked.
As noted in the comments, sandbox attribute can prevent the script inside the iframe to access the windows top.href, location.href and similar methods. This will do what I want to achieve.
From w3schools:
When the sandbox attribute is present, and it will:
prevent the content to navigate its top-level browsing context
Hey guys i have a little problem.
I have a page something like this:
<div id="the_box"><iframe src="somesite"></iframe></div>
I have the div on my page but inside the iframe theres a form from another site where i would like to know when the user clicked a button inside that frame, is there a easy way to register that a user clicked?
This is not possible due to browser security restrictions. Events are not allowed to propagate over iframe elements whose src attribute is an external domain.
No this cannot be done . Maximum you can know is when the user clicks anywhere on the iFrame. Not on any elements inside the IFrame , as that violates the browser rules and Internet protocols .
I got a site that loads multiple recaptcha at once in iframes.
I was wondering when a user hit enter after typing the captcha if there a way to add a key event to toggle to the next iframe box and enter the next recaptcha?
Most of the site is written in php but there are some stuff javascript added
You may be better off using a different recaptcha method that doesn't require the use of iframes. Finding a work-around for the iframe security sandbox, if even possible, may be more work then it's worth.
I have a Site containing an Iframe containing some website for example google.com .
How can I apply onkeydown onto this iframe?
Seems to be kinda tricky...
Thx in advance!
For security reasons, it is utterly impossible to directly interact with a different website using Javascript.
If you have control of the child iframe, it is possible to have some level of communication, but if an iframe has focus, it is impossible to listen to it (or descend into) it so long as it is in a different domain.
Imagine, a malicious site decides that they want to do something similar. They open an iframe of your bank and then record your key-down events. That gives the malicious site access to your username and password! Bad deal.