Understanding Cross-Domain issue in Iframes - javascript

This question might seem silly but I need to understand this for clarity.
According to my understanding, cross-domain problem is when the domain of the webpage which contains the IFRAME is different from the domain of the web-page opened in IFRAME.
Going by that logic, nothing should open in IFRAME ever.
When I embed a web-page "bottom:10700" in the IFRAME of my web-page "top:9700", it gives error.I am not able to see the contents in IFRAME. Error is Access denied in accessing property 'constructor'
I am getting the error while accessing the contructor (_1.contructor)
isc.A.Function=function isc_isA_Function(_1){
if(_1==null) return false;
if(isc.Browser.isIE&&typeof _1==this.$a7) return true;
var _2=_1.constructor;
if(_2&&_2.$k!=null){
if(_2.$k!=1)return false;
if(_2===Function)return true
}
This script is run when home page of bottom is opened in an iframe contained in top.
Is there any way, I can make this work. I mean can I set both the domains to be same. I don't have access to remote site's script.
Is resizing the frame after redering it once a cross-domain scenario. If not, then certainly remote site is trying to access the IFRAME element..How can I debug this??

Cross-domain issues are about the communication between iframes. You can always embed any iframe but, if domains differ, iframes cannot interact with each other e.g. execute JS, modify DOM etc.
HTML5 provides a sandbox property that re-enables particular features of the cross-domain iframe interaction. Be careful, it can be dangerous.

It is normal behavior for a page xyz.com to load in an iframe hosted on abc.com. However, you cannot change anything or access its content via code from parent abc.com.
Hope this helped.

Related

Allow mixed content inside iframe

The parent site running on https. Inside parent site window a iframe with src https. The iframe has links with http.
Its https(main parent site) => https(iframe) => http(links inside iframe) scenario.
In browser console blocked:mixed content getting logged.
Kindly help to get rid of this error.
this is a browser setting and you did not indicate which browser you are using. Here is info from Firefox on how to disable mixed-content blocking. Note, disabling this increases your security risks. Here is a good article describing the concept so you have a better understanding of why its happening and what the risks are.

Catch Cross Site Scripting Error in iFrame

I have a web page which houses an iframe. Inside the iframe is a website. The website comes from a dynamic url variable so practically any website can be housed inside of the iframe. Some domains of the websites to be housed in the iframe may be forwarding domains. I want to be able to detect, through javascript, that this domain is a forwarding domain. However that is not possible because of cross site scripting securities.
What i have noticed in the chrome console is that when i try to access information from the the website housed inside the iframe, there is an actual error message displayed by chrome. However i have not been able to obtain that error message in my javascript. As you can see by the image, i have the domain that i pointed the iframe to, and then the actual domain of the website in the iframe, noted by chromes error message.
Does anyone have any idea how i can get that error message? I have tried using try catch(err) but that does not seem to work. Or, better yet, any idea how to get the details of the site inside of the iframe from javascript? The only detail i need is its URL.
Thanks in advance!
(source: farfromthere.org)
You can't access what the current location of the iframe is, or whether it has redirected, for security reasons. The only exception is if you are checking whether the iframe contains a page that is in the same origin as yours; in that case, you will be able to access the iframe.

Know which page the user is browsing in iframe

I would like to create a web page which is a main page that has one iframe whose content does not come from the same host as the main page but I would like to know which page the user is currently browsing in the iframe.
For example, I have a main page with a button bound with an Javascript event and an iframe that load content from a site like google.
A user can navigate the content in iframe as he wants but when the button in the main page is clicked, the current url in the iframe must be popped up.
I already tried it but since the same origin policy always applies, an error like this
Permission denied to access property 'location' occurs.
I do know that it makes sense according to SOP but I really need to do it.
I would like to know if there is some hack that can do the trick or I have to admit the
restriction and design my app the other way.
If there was such a trick, it would make browser security invalid and expose privacy issues. These things are there for a reason.
You can disable this for YOURSELF, but bypassing it for others is evil.
See:
Disable same origin policy in Chrome

How can I prevent an iframe from accessing parent frame?

I've got a page with an iframe. The page and the source of the iframe are in different domains. Inside the iframe I'm using a rich text editor called CuteEditor (which has turned out to be not so cute). There are certain javascript functions in CuteEditor which try to access 'document' but the browser denies access since they're not in the same domain.
Here's the exact error:
Permission denied to access property 'document'
http://dd.byu.edu/plugins/cuteeditor_files/Scripts/Dialog/DialogHead.js
Line 1
Editing the javascript is out of the question because it's been minfied and obfuscated so all the variable names are cryptic.
Using a different editor is currently out of the question because this is a work project and this is the editor I've been told to use.
Is there a way to keep the iframe self-contained? So it does everything inside the iframe and doesn't try to break out to the parent frame?
If the child iframe is loaded from a different domain, then it will not be able to access the parent page or DOM.
However, there is a still a possible vulnerability to man-in-the-middle attack as follows. Suppose your page loads off http://yoursite.com and the iframe goes to http://badsite.org
first http://badsite.org redirects to http://yoursite.com/badpage
This is the step that requires a man-in-the-middle attack. The attacker must either be able to get between the user and yoursite.com, or control the answers to your DNS lookup. This is easier than it sounds -- anyone who has administrative control over a public WiFi access point could do it (think Starbucks, hotels, airports.) The goal is to serve the content of http://yoursite.com/badpage from the attacker's site, not your actual site.
The attacker can then serve whatever malicious code they like from the (fake) http://yoursite.org/badpage. Because this is in the same domain as the main page, it will have access to the parent DOM.
The HTML5 iframe sandbox attribute seems to be the way to avoid this. You can read the spec, but the best description might be here.
This seems to be supported on Chrome, IE10, FireFox, Safari.
The spec says that if the "allow-same-origin" attribute is not set, "the content is treated as being from a unique origin." This should prevent your child iframe from accessing any part of the parent's DOM, no matter what the browser thinks the URL is.
You shouldn't need to worry about that happening.
The only way iframes can talk cross-origin is with postMessage, and that's only possible if you're listening to that domain directly.
https://developer.mozilla.org/en/DOM/window.postMessage

Running a bookmarklet on an iFrame that is coming from a different domain

Is there any way to run a bookmarklet on an iFrame which is from a different domain?
For example, I have a page loaded from http://example.com, which has an iFrame whose source is set to http://example2.com. When I run the bookmarklet, it is always run on http://example.com, since that is the main page. I want to run it on the other iFrame though.
When I attempt to interact with the iFrame (e.g. by changing its source attribute to javascript:alert('test')), Chrome shows the following error:
Unsafe JavaScript attempt to access frame with URL http://example.com from frame with URL http://example2.com. Domains, protocols and ports must match.
I tried dragging and dropping the bookmarklet into the frame, but it says:
Failed to load resource
Is there any way for me to interact with an iFrame using a bookmarklet in Chrome?
There is a way to do cross-domain message-passing (not arbitrary code execution) using window.postMessage, yet all a frame A can do to frame B (when they are not of the same origin) is passing it a message hoping that B has a callback function listening for this message.
So here if you control exemple2.com (what's in the frame that don't get the bookmarklet), you can make the bookmarklet pass a message to the iframe and handle it in the iframe.
Else I don't think you have a solution here, except very complicated ones (like proxying).
Other links:
In-depth article about same origin policy and its implementations in browsers
A cross-browser, backward compatible postMessage attempt (as jQuery plugin)
iFrames have alot of security on them as do ajax calls.
Any attempt to use these in a cross-domain manner will result in a security error.
Imagine you were able to interact with other iFrames on different domains. You would be able to make an iFrame (like facebook login's page) that had width and height of 100% and add a function to execute on a submit event which would email you the username and pass before submitting.
So you're gonna have a lot of trouble accomplishing what you're trying to do. You basically can't mess with a page that you don't own. You can use firebug to edit it with the html tab though.
Hope that helps
One option if you are not in control of the page or the iframe is to load the iframe into a new window. The src attribute of the iframe is available to read by the parent JS, which can then open a new tab or window. The user can then click on the bookmarklet a second time to load it into this new page.

Categories