I have a page P1 loading from site S1 which contains an iframe. That iframe loads a page P2 from another site S2. At some point P2 would like to close the browser window, which contains P1 loaded from S1. Of course, since P2 is loaded from another site, it can't just do parent.close().
I have full control over P1 and P2, so I can add JavaScript code to both P1 and P2 as needed.
Suggestions on how to resolve this?
It's impossible, I am afraid. JavaScript from an iframe that is loaded to a different site then the one it is being rendered on is strictly prohibited due to security issues.
However, if the iframe is pointed to the same site you can get to it like:
<iframe name = "frame1" src = "http://yoursite">
</iframe>
<script type = "text/javascript">
alert(window.frames["frame1"].document);
</script>
If they originated from the same domain, you can modify the security-restrictions to allow modification between sub-domains.
set document.domain = "domain.com"; //on both pages and they are allowed to modify eachother.
It might work to just set them to a bogus-domain, haven't tried that, or just simply ".com" or something.
It looks like this guy got cross domain JavaScript working between iframes.
You can use Flash to do this. Send the user to a new top-level page that you control with a URLRequest with a _top target, and have that page contain javascript that does a window.close().
Related
I would like to know how to open a page, and then on that page, run javascript (that is set by the link on the first page). I have tried this:
LINK DISPLAY NAME HERE
Does anyone know how to achieve this?
If the new page is a page whose code you control, then you can pass a query parameter to the new page via the link and you can have the javascript in the new page check for that query parameter and, if found, run some code in the page upon page load.
LINK DISPLAY NAME HERE
And the startup javascript in the new page would check for the runOnStartup query parameter and run some code based on its value.
If the new page is in the same origin as your current page, then you could open the new page in a new window and then after it opened, you could call a function in that new window. But, your previous page would have to still be running in order to do that.
If the new page is in a different origin and you do not control the code in that new page, then you cannot do what you're asking for browser security reasons.
This is possible, no problem.
Note that IE has weird incompatibilities in this area of the DOM.
<!DOCTYPE html>
<html>
<head></head>
<body>
<a id="foo" href>Click me!</a>
<script>
document.getElementById('foo').onclick = onFooClick;
function onFooClick(e) {
var scriptToInject, popUp, node, importedNode;
scriptToInject = 'document.body.innerHTML = "Hello from the injected script!";';
popUp = window.open('about:blank');
node = document.createElement('script');
node.textContent = scriptToInject;
importedNode = popUp.document.importNode(node, true);
popUp.document.body.appendChild(importedNode);
}
</script>
</body>
</html>
The above works in Chrome, Firefox and Safari on a Mac.
Warning: Do not use the following code in any remotely-production related machine. It is trivially susceptible to XSS and allows anybody to run any JS code on your website. This means that a malicious website could trivially steal your users' identities and other sensitive data. I highly recommend I recommend against using the method described in this answer in any form/
Page 1
Page 2
<script>
var javascript = <?=$_GET['javascript'] ?>;
eval(decodeURIComponent(javascript));
</script>
If you don't have PHP, use:
var javascript = window.location.href.match(/[^?=]+$/)[0];
*I haven't tested this code so it may need some fixing. I am also assuming you own both pages. If the target page isn't yours, you can't run JavaScript on it for security reasons.
to URL encode your JavaScript, go here, type your JavaScript, and hit encode.
I am trying to create a click event on an iframe:
This is what I'm trying but without success:
$('iframe').contents().find('#theButton').click();
What I'm I doing wrong here?
As a security principle; You are not allowed to do anything in an iframe that's base uri is different from what is in the address bar; You just allowed to manipulate the iframe'e that's src tag is equal to page's.
Think about what would be happen if you insert a bank's internet banking in an iframe and cheate the people and in backend change the source of money transfers to your own account :D
but what you can do is to get the html source code of the where you want to show in an iframe; and show it using javascript; then you will be able to treat with that source code like your own.
try in this way it will work for u
$('iframe').load(function(){
var iframe = $('iframe').contents();
iframe.find("div").click();
});
I had an webradio project for a client, so I need to put in a mainpage (index.html) one iframe with the audio stream and another iframe with the Wordpress webradio page to guarantee the audio won't reload with the page navigation between the site.
The problem is: the "stop button" its on the webradio page iframe, so even if I target the "a" for the audio stream iframe, it doesn't work. I read some of topics here and tried "parent.document" too but nothing works. Can someone give me some light?
The page in question:
http://radiotalent.com.br/
Let's assume you have two IFrames inside a root document, following this disposition:
Root document
IFrame1
IFrame2
If you want to call, say, a method located in IFrame2 from IFrame1, then parent is indeed your friend. The code in IFrame1 would look something like this:
parent.document.getElementById("IFrame2").contentWindow.Method();
The following marker code indicate the position of each member on the above line:
^ [parent (Root)]
^ [parent document]
^ [The target frame]
^ [The window object in the frame]
^ [The JS method itself]
Now, keep in mind that you won't be able to use this if the IFrames reference content in different domains because of the "Same Origin" security policy.
From the webradio frame call iframe1.stop() function. That might help.
think of it this way. If you have two iframes, your connection is the parent page.
What you'd want to do, lets assume you're using regular javascript at first (consider JQUERY THOUGH)
Say you have iframe 1, with an ID of "iframe1" and the second "iframe2"
to access iframe2 from iframe1
var iframe2 = parent.document.getElementById("iframe2");
or the other way around
var iframe1 = parent.document.getElementById("iframe1");
EDIT:
X-FRAME-OPTIONS STRIKES AGAIN, seems the poster was trying to have cross-domain access when this is specifically denied by iframes when the sites use this particular protection.
I'm embedding page that has an exit pop-up. When you close the page, it automatically launches a pop-up window.
How to disable pop-ups coming from the iframe on exit?
If you are wanting to block something like POP up ads or something coming from a website you are showing in an IFRAME - it's fairly easy.
Make a framefilter.php and javascriptfilter.php which your iframe points to.
You can modify it to meet your needs such as the onload blah blah and etc.
But as/is - it's been working fine for me for quite a while. Hope it helps.
Replace your standard IFRAME HTML with this:
<IFRAME SRC="http://www.yourdomainhere.com/framefilter.php?furl=http://www.domainname.com" WIDTH=1000 HEIGHT=500>
If you can see this, your browser doesn't
understand IFRAMES. However, we'll still
link
you to the page.
</IFRAME>
Framefilter.php
<?php
//Get the raw html.
$furl=trim($_GET["furl"]);
$raw = file_get_contents($furl);
$mydomain="http://www.yourdomainhere.com/";
//Kill anoying popups.
$raw=str_replace("alert(","isNull(",$raw);
$raw=str_replace("window.open","isNull",$raw);
$raw=str_replace("prompt(","isNull(",$raw);
$raw=str_replace("Confirm: (","isNull(",$raw);
//Modify the javascript links so they go though a filter.
$raw=str_replace("script type=\"text/javascript\" src=\"","script type=\"text/javascript\" src=\"".$mydomain."javascriptfilter.php?jurl=",$raw);
$raw=str_replace("script src=","script src=".$mydomain."javascriptfilter.php?jurl=",$raw);
//Or kill js files
//$raw=str_replace(".js",".off",$raw);
//Put in a base domain tag so images, flash and css are certain to work.
$replacethis="<head>";
$replacestring="<head><base href='".$furl."/'>";
$raw=str_replace($replacethis,$replacestring,$raw);
//Echo the website html to the iframe.
echo $raw;
?>
javascriptfilter.php
<?php
//Get the raw html.
$jurl=trim($_GET["jurl"]);
$raw = file_get_contents($jurl);
//Note, if trickyness like decode detected then display empty.
if(!preg_match("decode(", $raw)){
//Kill anoying popups.
$raw=str_replace("alert(","isNull(",$raw);
$raw=str_replace("window.open","isNull",$raw);
$raw=str_replace("prompt(","isNull(",$raw);
$raw=str_replace("Confirm: (","isNull(",$raw);
//Echo the website html to the iframe.
echo $raw;
}
?>
Quite an old ask, but I thought I'd offer a newer solution since this is the top result in google.
If you want to block an iframe from opening windows, you can use the new HTML5 "sandbox" attribute on your iframe.
https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe
This should keep it from doing anything (except running javascript which may be required for the page to function correctly):
<iframe sandbox="allow-scripts" src="your/url/here"></iframe>
I don't think this is possible.
first (and most importantly), if the iframe is in a different domain, you can't change its DOM - such as the onunload handlers. If this is the case, the other two issues are moot.
second, even if you could, you'd have to remove the listener in some way. If the listener is loaded via window.onunload, that would be simple; otherwise, not so much.
third, in the long term this would lead to the same arms race as the frame-busting-busters
The only possibility I see is non-technical in nature: check with whoever runs that site inside the iframe if they could make a special page for you, one without such onunload popup. In most cases, either
a) some special arrangement can be made (although not always for free), or
b) removing the functionality would be a violation of the ToS, in which case you'd have to look for someone else providing similar functionality, without the pop-ups (and realistically, most services have more than a single provider)
Actually, this is possible. Well at least in many cases. Often, the code in the iframe will be running something like top.window.open(...) to open a pop-up. You can redefine the window.open method so it still exists, but doesn't open a window. E.g.:
`
window.alias_open = window.open;
window.open = function(url, name, specs, replace) {
// Do nothing, or do something smart...
}
`
If you still want some pop-ups to open, you can whitelist urls within the body of window.open, and call alias_open as needed.
Setting the sandbox attribute on the IFrame element should work.
I'm not sure if this would work but you could try double Iframing. Iframe the site in a free blogger account, then iframe the blogger account with a delay loading code. so the popup will occur before the page is loaded let me know if it works.
Use a modern browser - they all come with decent pop-up blocking capabilities
I want to track what happens inside an iframe when a user clicks on links in the IFrame. The page that contains the iframe (the parent) is to track the user´s navigation through the page in the iframe. Both pages will be hosted on the same toplevel domain, although the subdomains will differ.
I need the parent page to be notified of every click, but I do not have direct control over the pages I load into the iframe.
Is adding an onclick to all the links whenever the page in the iframe is loaded possible? How would I go about doing this?
This would be the "template" on which to build:
<html>
<script language="javascript">
var currentURL;
</script>
<body>
<iframe id="container" width="500" height="500" src="http://subdomain.parentdomain.com"/>
</body>
Iframe CrossDomain access needs to be the same domain, subdomain, and port.
If you had them on the same domain, you could bind click event handlers on all the links, then when they are clicked log a click to something like google analytics, your database, etc.
I do not have direct control over the pages I load into the iframe
That's your blocker. If you can augment the code within the remote pages, you can use postMessage and the iframe fragment identifier hack to get browser coverage.
Fortunately, someone already did the dirty work for you:
http://easyxdm.net/
http://consumer.easyxdm.net/c/
http://www.codeproject.com/KB/scripting/easyXDM.aspx?msg=3153511
I am going to use an AJAX-Proxy to have the content (as far as the browser is concerned) come from my domain. This will solve all the cross domain scripting issues that CodeJoust mentioned. Speed of delivery might be a problem due to the overhead I will be generating, but that will have to be seen.
I will probably move along the lines of this Stackoverflow Question:
"Apply “onclick” to all elements in an iFrame"
Regarding legal issues pertaining to proxying and changing the content of pages dynamically, it will have to be checked. I believe that tracking users that give their express consent is, from an ethical standpoint, unproblematic.
With jQuery it would be easy.
$(document).ready(function(){
var iframeWindow = $('#container')[0].contentWindow;
$(iframeWindow).load(function(){
$(this).find('a').click(top.myClickHandler);
});
}
function myClickHandler(){
/* Do something */
}