JavaScript permissions errors stemming from an IFrame

StackOverflow https://stackoverflow.com/questions/802963

  •  03-07-2019
  •  | 
  •  

Question

I have a .jsp that contains an IFrame with a page that has some embedded JavaScript. This JavaScript accesses some DOM elements in the parent page (the one containing the IFrame).

The embedded page is going to be on a seperate sub-domain from the parent page, and I realize that there are some security implications. My impression is that the document.domain of any pages embedded in IFrames must match the document.domain of parent pages for cross-IFrame access to be allowed. The embedded page currently contains the following code to 'broaden' the scope of its security:

document.domain = 'domain.com'; //where domain.com is my domain

It then proceeds to access DOM elements in the parent document.

I am currently testing this, and have modified the hosts file on the Windows machine serving the parent page with the following entry:

127.0.0.1 domain.com

The goal is to trick JavaScript on the parent page into believing that the document in the embedded page is being served from the same domain.

If I then browse to the page on the same machine. Despite the document.domain showing up as 'domain.com' in both my parent and embedded pages as observed through Firebug, I am getting 'Permission denied' errors when attempting to get or set DOM properties from JavaScript running in the embedded page.

Am I missing something? Thanks in advance for any suggestions or comments!

Was it helpful?

Solution

Even though the "document.domain" properties look the same, from the MSDN documentation is sounds like you still have to explicity set them to be the same:

All the pages on different hosts must have the domain property explicitly set to the same value to communicate successfully with each other. For example, the value of the domain property of a page on the host microsoft.com is "microsoft.com" by default. It might seem logical that if you set the domain property of a page on another host named msdn.microsoft.com to "microsoft.com," that the two pages could communicate with each other. However, this is not the case, unless you explicitly set the domain property of the page on microsoft.com to "microsoft.com."

OTHER TIPS

you could put a proxy to redirect requests of <iframe src="http://domain.com/fake/"> to the right place.

It's just an idea...

Regards.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top