How much data can an iframe read from its parent window? - iframe

If I create a widget and embed it in an <iframe> on a site that is from a different domain, how much data about the parent page can the widget read?
Obviously there's no DOM access, but is there any access to other information, such as whether the parent page has a parent, or what the url of the parent page is?

Normally the content of an iframe served from a different domain cannot access the parent in any way. It's like loading the page in a different browser tab.
However, even if served from a different domain, there is a possible man-in-the-middle attack which wil allow access to the parent DOM. This is easier than it sounds -- anyone who has administrative control over a public WiFi access point could carry out this attack (think Starbucks, hotels, airports.)
It is possible to protect against this attack using the HTML5 iframe sandbox attribute -- see below.
The man-in-the-middle attack works as follows. Suppose your page loads off http://yoursite.com and the iframe goes to http://badsite.org
first http://badsite.org redirects to http://yoursite.com/badpage
This is the step that requires a man-in-the-middle attack. The attacker must either be able to get between the user and yoursite.com, or control the answers to your DNS lookup. The goal is to serve the content of http://yoursite.com/badpage from the attacker's site, not your actual site.
The attacker can then serve whatever malicious code they like from the (fake) http://yoursite.org/badpage. Because this is in the same domain as the main page, it will have access to the parent DOM.
The HTML5 iframe sandbox attribute seems to be the way to avoid this. You can read the spec, but the best description might be here.
This seems to be supported on Chrome, IE10, FireFox, Safari.
The spec says that if the "allow-same-origin" attribute is not set, "the content is treated as being from a unique origin." This should prevent your child iframe from accessing any part of the parent's DOM, no matter what the browser thinks the URL is.
Sandbox also lets you disable scripts, pop-ups, the ability to change the top level URL, and other things.

I did a little google search, and it turns out that normally you cannot access the internal guts of the Iframe if the the content is another domain (same origin policy), however there's an article here which can give you some ways around that.

Related

Load iframe on specific domains only

I want to allow some websites to embed an iframe with a page from my domain. However, I don't want anybody to be able to use the iframe content without my permissions. How can I allow only domains of my choice to be able to embed the iframe with the page's content?
I know vimeo does this, and allows video owners to block the video on certain websites that they don't find appropriate.
I want server side ASP.NET solution, because Javascript code can be altered. However if it can be done using javascript code and its secure, It's ok.
From what I've seen, I need to pass the referrer in some way, but in a way that can be manually altered by other website owners to include the iframe themselves and it would work on their website too, without a permission.
Since it will be a standalone page as you mentioned in the comments, you can do this by inspecting the referer property.
Request.UrlReferrer
See that it contains the domain that you want to allow. This property is available when an embedder puts your page in the IFRAME's SRC attribute and the page loads for the first time.
If the user clicks on a link inside the IFRAME, it is not guaranteed to pass the containing page as a referrer.
If you want to allow multiple linked pages inside the IFRAME to allow a specific domain, then you will need to stick to a JavaScript based solution.
Note however that neither method is completely foolproof.

IFrame Subdomain tracking with Google Analytics

I have a website that I created for the company I work at. This site is on a subdomain and is brought in as an iframe within another company's retail site, as we offer services under them. Is there a good way to track this with google analytics? I've never tracked a subdomain before, let alone in an iframe.
I've created a test analytics account, and added the top level domain, but I only put the tracking code on the pages for the subdomain that I created the site on. Will this even give me any information? and if that part of it works, is the information from an iframe setup accurate? I know from a design standpoint an iframe is kind of off in it's own world within a world, but does anyone have any experience on how google sees a site like that?
I've searched the forums and anywhere else i could think of, and they have bits of info on subdomains, practically nothing on iframes, and nothing combining the two. I have no access to adding any tracking code to the partner company's retail site either.
If your iframe hosted content is not on the same domain as the parent page (which I'm going to assume is not, based on the context of your question), then google will report the page name as the URL of the iframe, not the parent page.
GA code has a way to override the default page name, however, you cannot retrieve the parent URL in this case, because this is considered cross-site scripting (XSS).
The only way to get info about the parent page in this case is for whoever has control over the parent page that has the iframe tag, to pass the parent URL to the iframe by adding a query string parameter to the iframe src="..." attribute (also, same thing for any other info you want to pass to the iframe page). Then you can write some javascript to retrieve those values from the URL and pop whatever you want, including overriding the default reported page name (which you would do by setting the optional 2nd param to your _trackPageview call).
If the iframe content IS on the same domain (even if it is a subdomain of the parent page), then you can access the parent page properties using parent.window.whatever instead window.whatever.
Well, from what I understand, you have a page that will be inserted inside an iframe to a second page, but we need to know if the page that will host the iframe is the same domain as the calling page:
If the page called by the iframe in the same domain of the calling page:
In this case, you can insert the block of JavaScript Google Analytics, as both the iframe on the main page, and we have the measurement data from the main site, the iframe.
If the page that calls the iframe belongs to a different domain:
Some of the features that are measured are in frames within the site. These iframes indicate the domain, for example, site.com.br. Whenever a page in one domain has a frame to a different domain prevents the browser cookies that are stored inside the Iframe, which in the case would prevent the measurement.
Cookies are nothing more than small text files that are stored by your browser on the machine. Most of our cookies are session cookies that are automatically deleted from your hard disk in the closing of the window. Persistent cookies also are used by websites to facilitate identification of your computer in the next visit you make to the site. Inactivation of the cookies can be made in your browser however, this will preclude all the functions available on the site.
To allow the recording of cookies should add P3P headers in HTTP server that serves pages. This header causes no change in display mode or operation of the pages. Just instruct your browser to allow to record cookies of third, however, it has a bigger role in Internet Explorer. If you do not set, you can receive data from other browsers (Google Chrome, Firefox, Opera, etc. ..), but Internet Explorer still has a widespread use of the mass of the population.
Imagine that we have four distinct domains:
www.site1.com
www.site2.com
www.site3.com
www.site4.com
These four pages will receive the iframe tag:
<iframe Src="http://www.meusite.com.br/anuncio.php">
The anuncio.php page need to have a call header p3p for accept the third party cookies.
To add the header p3p use the code below (should be added to all pages that belong to the same domain)
ASP.Net
HttpContext.Current.Response.AddHeader ("p3p", "CP = \" "PSA CONE NOI ONL OUR BUS \" "")
PHP
header ('P3P: CP = "NOI PSA CONE ONL OUR BUS"');
JSP
response.setHeader ("P3P", "CP =" NOI PSA CONE ONL OUR BUS '")
ColdFusion
<cfheader name="P3P" value="CP='PSA CONo OUR ONL NOI BUS'" />
I hope to have helped:)

locally held iframe parent location issue

So I am holding a html file on my desktop that has an iframe within it.
This iframe is all good but I want a button within it to control the location of the web page hosting it.
So I want the iframe's parent to go back in history by 1 page, I used this method but it did not work. How would you do this?
onClick="parent.history.go(-1)"
If the inner iframe is on a different host that the outer frame (or even two different URL protocols like file: and http:), you will have trouble making a direct call, because the browser is preventing cross-site scripting vulnerabilities.
One thing that works is in that case is cross-window messaging using postMessage(). Check out http://ejohn.org/blog/cross-window-messaging/ for an example.

Is it possible to find a cross-domain iframe's new URL after a redirect?

I'm trying to post to the login form of an application on another subdomain of my site. It's a third party app that I don't have source access to.
I know that you can't access most features of a cross-domain iframe because of same origin policy. All I need to access, however, is the URL that's been redirected to (via JavaScript) within the iframe. It has a session token that I want to pass through.
That seems like something that might be safe enough to be allowed, but I haven't found a way to do it yet. I'm using jQuery, and I've tried $('iframe').contents(), but I seem to have no permissions at all on that object. I've also checked $('iframe').attr('src'), but it remains as the pre-redirect URL. Is there another way?
No, you don't have access to any properties within an iframe. You only have access to the outer positioning and styling properties.
This is why frames are such a pain to work with. I usually only use them if I don't care what is done within them.
Can you not do a server-side authentication and token passing? Instead of having the client do the authentication, can you not do that on your server? You may need to do some extra work to create the HTTP request and parse the response, but you avoid any iframe issues.
Bottom line is iframes probably aren't the best to rely on(especially when it comes to cross-browser functionality) for important things like authentication.
Try this example (method 2) in which the author sets up another iframe inside the first, loading a page at the original domain.
The inner page is allowed to call javascript on the outer parent, since they are loaded in the same domain.
Simply load the inner page with appropriate parameters, which can be passed on to the parent.

Set iframe to height of content for remote content

The question of how to make your iframe fit 100% of your content (using JavaScript) has been answered on the forum already... for iframes displaying content from the same domain only.
My questions: Is it possible to resize an iframe to fit the content when the iframe src attribute is for a page outside of the domain of the page containing the frame? The browser security features surrounding cross-site scripting prevent me from accessing the document object for the iframe.
I'm looking for any creative solution. One of my thoughts was to somehow detect that scrollbars were visible on the iframe, and to incrementally increase the height until they weren't. Unfortunately I can't find any way to detect visible scrollbars either. Ideas?
Please note that I am looking for a client-side solution.
Responses:
Dave
The problem still exists - I don't know the height of the remote document ahead of time, so I can't set it from a database or querystring value.
dusoft
100% on the iframe in CSS will not set it to 100% of the content inside the iframe, but relative to the the page or containing element (i.e., a div or something).
(My answer to a similar question)
It is not possible to do this without some control over the page being iframed because of the browser's security model. If it was possible, that would be a security problem and would have to be fixed.
Although letting the embedding site know the height of a third party webpage when embedded in the page seems harmless, this can leak information to the embedding site that the browser's user wants to keep private. For example, http://www.facebook.com/ renders differently depending on whether or not you are logged in, so if my website can work out the height of <iframe src="http://www.facebook.com/"> then I can work out whether or not you are a facebook user, something you probably don't want me to know.
The information leakage would be similar to the infamous CSS History Leak which browser vendors had to plug.
Is it possible to resize an iframe to fit the content when the iframe src attribute is for a page outside of the domain of the page containing the frame?
It is possible to get around the cross-site limitation and have an iframe set to the height of it's content, but it can be a bit awkward to get it to work.
The solution involves working around the security model by having the iframed content itself iframe a page on the the same server as the parent page, with which it can communicate. I've answered a similar question to this before here, which goes in to a fair bit of detail on the ins and outs of setting it all up.
The caveat on the described approach is that you must have means of getting your iframed content to itself iframe a page on the parent server. This is usually achieveable when the iframed content is there as part of an agreed partnership between sites, but YMMV.
It sounds like you are trying to work around a security feature that was put in place for a good reason...
Does the resizing have to be through script? You could redirect to a page where the size of the iframe is taken from a querystring, or a database, or config file, etc.
This is theoretical as I have not tested it:
1) PHP save the remote page into a
local html file using
file_get_content() or using CURL. 2) Javascript load local file into
iframe
- it's now local and security issues don't apply.
If there are javascript vars or Session vars (which cannot be pulled from remote content) you can at least use this technique to query the document height of your local file, set the iframe accordingly, then load the remote URL into the resized iframe.
Cavat: you have no way of knowing URLs for page changes within the remote page, therefore you can only use this technique on the first page. If the remote pages are all same height this is no problem.
not the best solutions but you can try:
javascript to write iframe, in iframe app set the current height in url #h700 for 700px etc; then use a loop to listen for that change on host site "in the javascript" to read the src="url#h700" and set the height of the iframe by that.

Resources