I have a Site containing an Iframe containing some website for example google.com .
How can I apply onkeydown onto this iframe?
Seems to be kinda tricky...
Thx in advance!
For security reasons, it is utterly impossible to directly interact with a different website using Javascript.
If you have control of the child iframe, it is possible to have some level of communication, but if an iframe has focus, it is impossible to listen to it (or descend into) it so long as it is in a different domain.
Imagine, a malicious site decides that they want to do something similar. They open an iframe of your bank and then record your key-down events. That gives the malicious site access to your username and password! Bad deal.
Related
I have an iframe.
I want to prevent access from the parent document into the iframe from css selectors and other manipulation.
How can I secure it?
You could kill a goat under the light of a full moon inside a pentagram made of salt. If you did that, css or js wouldn't be able to affect the contents of an iframe.
They wouldn't affect them if you didn't either.
You have to explicitly allow sites to interact with the contents of an iframe, either by setting up an api like this, or by setting up cors headers to allow interaction. According to other answers on this site, if the iframe and parent have the same domain, cors rules don't apply, so changes can be made. If you are embedding an iframe from your site on your site, you should probably trust your own code.
If you are asking how to prevent users from using the developer tools to mess around with your iframe contents, you can't. There are all sorts of things that website designers have tried to do to keep me from looking at their source. I've never found one that can keep me out.
My website offers rich content to users. I often subscribe to third party vendors whose content I embed in my pages. How can I safely embed external domain's content on my webpage in an iframe without worrying that they won't be able to bust out of frame. They won't do it purposely (without risking their clientage/reputation). However, since they almost always are small shops, they become a juicy targets for an attacker who wants to deface/redirect my website.
I am not asking how can I prevent an iframe to access parent frame's DOM, which I know it can't. I am asking how can we prevent an iframe to stop doing something like the following (which doesn't require access to parent's DOM):
top.location=url
Is there a header (something similar/opposite to X-Frame-Options) which I can use on my parent page to ensure that the iframes I embed can't bust out? Remember, I can't ask vendors to add headers/scripts to their pages. They never purposely want to do nefarious things to my page. The scenario I am trying to cover is the one when they get hacked.
As noted in the comments, sandbox attribute can prevent the script inside the iframe to access the windows top.href, location.href and similar methods. This will do what I want to achieve.
From w3schools:
When the sandbox attribute is present, and it will:
prevent the content to navigate its top-level browsing context
I know this has cross site scripting limitations however I was wondering if there is a way to do this...
I have a customer who uses a 3rd party website to present surveys to users. The survey site does provide iframe code to include on your site so you can present the survey to your users from your own site. The customer wants to capture some data when the user clicks the submit button within the iframe. I don't need access to any form fields within the survey I just need to some how define an additional custom event in javascript that gets fired when the submit button is clicked in the iframe. Is this possible? How?
Thanks!
There is no way to do this due to the cross site scripting. If you had access to both the iframe content and the outer frame then you could have used events to communicate between the two. But of course you have no control over the iframe content.
If you had access then you could have post a message to get access to the events. Here is a plugin. http://benalman.com/projects/jquery-postmessage-plugin/
No. You cannot reach the DOM in the IFrame at all.
The short answer is: no. Not unless both scripts are on the same domain, for as the reason you identified: security reasons.
See http://softwareas.com/cross-domain-communication-with-iframes.
I know there have been several similar questions, but I haven't seen an answer to my specific need: Is there a way to click a button in a separately launched web page? For example, I launch another web page via:
<a href="x" target="y"> or
window.open()
Can I then click an input button in that launched web page programmatically?
Unless the page is underneath your own control or resides on the same domain then no, it is not possible. This would be cross-site scripting and all browsers have security sandboxes in place to keep something like this from happening. Why are you trying to programmatically press a button on a page that you're also programmatically opening?
Yes. When you do window.open it will return you a window object. Var win = window.open(); win.fnSubmit(); assuming fnSubmit is the function on the other page that will do the.clicking. and both pqges on the same domain.
This is a technique used by some hacking injection attacks. Basically you can inject javascript into the querystring that can attach itself to the DOM, change an image or swf file source or simply run when the page is loaded; example here and example here.
Or if you already know the structure of the other page you can directly target methods or objects.
But as these are not nice things I assume that you have good reasons why you can't touch the code on the receiving page but want to adjust its behaviour?
You can click on any element you can select.
You can only select elements in windows that you have security privelages to.
You have rights to your own window, and rights to windows within the same domain & security.
To access the element you'll need the window object, which is returned from window.open
var newWin = window.open(siteYouHaveAccessTo);
newWin.document.getElementById('foo').click();
If you're trying to click on the Search button on www.google.com, you're SOL.
Survey says... maybe. If you've done your homework, you will probably be able to get communication to happen within the same subdomain. It gets progressively more difficult from there -- I've never had consistent cross-browser sub-domain support for manipulating JavaScript between two windows (or iframes).
That said, if they are the same domain, it is a matter of descending into it. If I have:
Window A opens Window B
Window B declares var winBVar
Window A is able to access winBVar after, and only after, that variable is declared (as in, you still need to wait for document.onload, etc)
The purpose is to let people embed my iframe at a certain size say 100*100, but then per user clicks this iframe should resize itself to the page size and back.
This should be independent of the structure of the HTML embedding the iframe (if possible).
Is it doable?
Guy
That is easily possible since an iframe is just an node on the page. I strongly recommend using iframes, however. My suggestion is to find another way. Iframes tend to be a portal for the passage of malicious client-side code.