All geek questions in one place

How to get current loaded page URL from iframe

I use iframe to load faroo.com by default src in the frame when I search and go to another webpage using faroo. But still in iframe src its display faroo.com only I wanted to capture the URL of the page loaded in iframe

<!DOCTYPE html> <html> <head> <script src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.11.1.min.js"></script> <script type="text/javascript"> $(function(){ $('#frameid').load(function(){ var z=$('#frameid').attr('src'); console.log('hi '+z); }); $('#clicked').on('click', function(){ $('#frameid').attr('src', 'http://www.faroo.com/'); }); }); </script> </head> <body> <iframe width="100%" height="500px" id="frameid" src="" name="iframe_a" ></iframe> <p><input type="button" value="click me!" id="clicked"></p> </body> </html>

O / p on console.log is always faroo.com not the current website that loaded

+5
source share
2 answers

For security reasons, you can get the URL as long as the contents of the iframe and the referenced javascript are in the same domain.

If so, you can do something like:

 document.getElementById("frameid").contentWindow.location.href

If these two domains are different from each other, you will get all the restrictions that apply to the domain with reference to the intersite link . Example:

 document.getElementById("frameid").src = 'http://www.google.com/'; alert(document.getElementById("frameid").documentWindow.location.href); Error: Permission denied to get property Location.href

Of course (if a big security flaw is detected in your browser), you simply cannot achieve what you need using javascript in the parent document. Let's see with a simple example why. If the browser has resolved what you need, you can easily:

  • Create a page with a hidden iframe (e.g. http://malicous.com/dont-trust )
  • In this iframe, open a child page with the process of logging into a website (for example, http://insecure-web-site.com/redirectlogin )
  • If cookies for the child are present and under certain circumstances, the page inside the frame will be redirected to the real website, while continuing to log on to the user.
  • Now, from the parent page, you can read all the confidential information that goes through the login process contained within the URL, for example. access tokens, session identifiers, ...
  • At this stage, the victim’s site and its users face a wide new set of possible security threats ...
+13
source

It seems that there is a hack to this work, and I really cannot believe that this is even permissible. Here's how it works:

1) Change the domain to match iframe:

 document.domain = <iframe_domain>

2) Get the URL as follows:

 console.log($('iframe')[0].contentWindow.location.href)

In my opinion, this should not work, but it is. I tested in Safari, Chrome and Firefox all the latest versions from 02/01/2017:

Home: http://subdomain.website.com iframe: http://www.website.com

What do you think? Is this permanently permitted or is it supervision that will be fixed in the near future?

Update

I started a new discussion topic here regarding browser security.

Isn't this a serious browser security issue? RE: Cross-Domain iframe Hack

Update 2

It seems that this will always be supported for specific cases.

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

+1
source

Source: https://habr.com/ru/post/1203464/

More articles:


All Articles