How can you access the external contents of an iframe through DOM / Javascript?

Question

How can you access the external contents of an iframe through DOM / Javascript?

I have a page:

<html> <head></head> <body> <iframe src="local.html"></iframe> <iframe src="http://www.google.com"></iframe> </body> </html>

I used the DOM to access the first iframe as a test (node.documentWindow), but when I try to use a similar iframe in external Firebug reports, access is denied.

I suspect this is for XSS protection, but is there a “safe” way to import a node so that I can grab an element from this external page? Is there a way to learn “document as visualized” or something else?

Thanks!

+4

javascript dom html xss iframe

Alex Mcp Mar 03 '10 at 20:30

source share

1 answer

Pekka 웃 · Accepted Answer · 2010-03-03T20:32:19+0000

Nope. Cross-domain access protection prevents this. The only way is if the surrounding page and iframe are on different subdomains in the same domain. In this case, you can use document.domain .

This is quite a lot. Imagine the security implications if this is not the case. You can create an iframe containing the user's home banking page, and, for example, take your password using keydown . There are tons of opportunities for abuse.

How can you access the external contents of an iframe through DOM / Javascript?

More articles: