Getting the url in address bar in an iframe - drupal

I am working on a project in drupal in which i have an iframe loaded in another website.
I need to get the url from the address bar.
e.g., lets say i have a website embedded in the iframe as example.com...and another site embedding this iframe has the domain as abcd.com
So, the url that gets formed on accessing any content in the iframe would be like..
abcd.com/#/
I need to get this URL in the iframe.
Please help me resolving this problem. I am tryin to write a custom module for this but dunno how to proceed.

You cannot access the URL of an iframe from the outside. Think about potential XSS attacks that could occur from that:
http://yourbankingsite/account?sessid=2239872379092FEAACC2390823
Of course, this is a bad way to store the session id, but there are quite a few (and popular) sites that do this. If you had access to the iframe URL, a malicious website could be nothing but said iframe and a script to harvest the session ID.

In your iframe you could add a variable to the iframe url and use drupal 'current_path' to get the url of the iframe's parent. Then you could retrieve this variable from your iframe page(and make sure you validate it before you use it). i.e.
www.iframsite.com/iframepage?from=<?php print current_path(); ?>

Related

How to get only contents of the browser address bar, NOT full URI

Does anyone know if there's a clean way to get the contents of the browser address bar, not the absolute URI?
I know you can use Request.Url.AbsoluteUri to get the full request, and normally that would be fine. However, in this case I need to know if the user has landed on the page via the site's basic DNS.
For example, if my site is called http://www.mysite.com, and the default page is page1.aspx, then Request.Url.AbsoluteUri returns http://www.mysite.com/page1.aspx if a user hits the site from http://www.mysite.com. In this case, all I want to get is: http://www.mysite.com. Is this possible?
The reason behind this is so that I can have the site embed statistical JavaScript code on the root page if the site is hit via the basic URL, and not if the page is included in the address bar. Does this make sense?
The term you are looking is URL ReWriting
Refer this tutorial

Load iframe on specific domains only

I want to allow some websites to embed an iframe with a page from my domain. However, I don't want anybody to be able to use the iframe content without my permissions. How can I allow only domains of my choice to be able to embed the iframe with the page's content?
I know vimeo does this, and allows video owners to block the video on certain websites that they don't find appropriate.
I want server side ASP.NET solution, because Javascript code can be altered. However if it can be done using javascript code and its secure, It's ok.
From what I've seen, I need to pass the referrer in some way, but in a way that can be manually altered by other website owners to include the iframe themselves and it would work on their website too, without a permission.
Since it will be a standalone page as you mentioned in the comments, you can do this by inspecting the referer property.
Request.UrlReferrer
See that it contains the domain that you want to allow. This property is available when an embedder puts your page in the IFRAME's SRC attribute and the page loads for the first time.
If the user clicks on a link inside the IFRAME, it is not guaranteed to pass the containing page as a referrer.
If you want to allow multiple linked pages inside the IFRAME to allow a specific domain, then you will need to stick to a JavaScript based solution.
Note however that neither method is completely foolproof.

IFrame Subdomain tracking with Google Analytics

I have a website that I created for the company I work at. This site is on a subdomain and is brought in as an iframe within another company's retail site, as we offer services under them. Is there a good way to track this with google analytics? I've never tracked a subdomain before, let alone in an iframe.
I've created a test analytics account, and added the top level domain, but I only put the tracking code on the pages for the subdomain that I created the site on. Will this even give me any information? and if that part of it works, is the information from an iframe setup accurate? I know from a design standpoint an iframe is kind of off in it's own world within a world, but does anyone have any experience on how google sees a site like that?
I've searched the forums and anywhere else i could think of, and they have bits of info on subdomains, practically nothing on iframes, and nothing combining the two. I have no access to adding any tracking code to the partner company's retail site either.
If your iframe hosted content is not on the same domain as the parent page (which I'm going to assume is not, based on the context of your question), then google will report the page name as the URL of the iframe, not the parent page.
GA code has a way to override the default page name, however, you cannot retrieve the parent URL in this case, because this is considered cross-site scripting (XSS).
The only way to get info about the parent page in this case is for whoever has control over the parent page that has the iframe tag, to pass the parent URL to the iframe by adding a query string parameter to the iframe src="..." attribute (also, same thing for any other info you want to pass to the iframe page). Then you can write some javascript to retrieve those values from the URL and pop whatever you want, including overriding the default reported page name (which you would do by setting the optional 2nd param to your _trackPageview call).
If the iframe content IS on the same domain (even if it is a subdomain of the parent page), then you can access the parent page properties using parent.window.whatever instead window.whatever.
Well, from what I understand, you have a page that will be inserted inside an iframe to a second page, but we need to know if the page that will host the iframe is the same domain as the calling page:
If the page called by the iframe in the same domain of the calling page:
In this case, you can insert the block of JavaScript Google Analytics, as both the iframe on the main page, and we have the measurement data from the main site, the iframe.
If the page that calls the iframe belongs to a different domain:
Some of the features that are measured are in frames within the site. These iframes indicate the domain, for example, site.com.br. Whenever a page in one domain has a frame to a different domain prevents the browser cookies that are stored inside the Iframe, which in the case would prevent the measurement.
Cookies are nothing more than small text files that are stored by your browser on the machine. Most of our cookies are session cookies that are automatically deleted from your hard disk in the closing of the window. Persistent cookies also are used by websites to facilitate identification of your computer in the next visit you make to the site. Inactivation of the cookies can be made in your browser however, this will preclude all the functions available on the site.
To allow the recording of cookies should add P3P headers in HTTP server that serves pages. This header causes no change in display mode or operation of the pages. Just instruct your browser to allow to record cookies of third, however, it has a bigger role in Internet Explorer. If you do not set, you can receive data from other browsers (Google Chrome, Firefox, Opera, etc. ..), but Internet Explorer still has a widespread use of the mass of the population.
Imagine that we have four distinct domains:
www.site1.com
www.site2.com
www.site3.com
www.site4.com
These four pages will receive the iframe tag:
<iframe Src="http://www.meusite.com.br/anuncio.php">
The anuncio.php page need to have a call header p3p for accept the third party cookies.
To add the header p3p use the code below (should be added to all pages that belong to the same domain)
ASP.Net
HttpContext.Current.Response.AddHeader ("p3p", "CP = \" "PSA CONE NOI ONL OUR BUS \" "")
PHP
header ('P3P: CP = "NOI PSA CONE ONL OUR BUS"');
JSP
response.setHeader ("P3P", "CP =" NOI PSA CONE ONL OUR BUS '")
ColdFusion
<cfheader name="P3P" value="CP='PSA CONo OUR ONL NOI BUS'" />
I hope to have helped:)

can Asp.net get parent window url by referrer?

i heard that , if your asp.net page is inside a iframe, and u want to get the parent url, you can achieve this by using the referrer?
i tested is okay, and found that the window parent url will included in the referrer when called the iframe content
Request.UrlReferrer.ToString();
Assume that i can only use server side to achieve
I just want to ask is that way safe?
Any chance to lost the referrer url in this case
The browser is not guaranteed to send the referer. It's all up to the browser/configuration/extensions/proxies and whatnot between the request and your server.
If the user navigates to a different page within the iframe, the referer will point to whatever the user came from.
All in all, never use the referer for any logic that may fail if it's not there or if it has an unexpected value.
You can do this but it is not entirely in ASP.Net.
You would have to get the referrer from Javascript and pass that to the iFrame.
One of the 2 following calls would be what you are looking for.
top.document.referrer
or
parent.document.referrer

Issue with passing querystring parameters via Http Get to an iframe in IE

This is a follow up to my previous question: Problem passing parameters via Iframe in IE. Which was never solved.
Here's the core of it:
I'm trying to execute an HTTP GET from
my website to another website that is
brought in via iframe.
On Firefox, you can see in the source
that the correct url is in the iframe
src along with it's correct
parameters-- and it works.
On IE, you can see in the source that
the correct url is in the iframe src
along with it's correct parameters--
and it doesn't work...
Is there something about IE that
doesn't let you pass parameters
through an iframe in the querystring?
I've tried refreshing the iframe in
IE, I've tried refreshing my page &
the iframe in IE, and I've tried
copying the url and re-pasting it into
the iframe src (forcing it to refresh
as if I just entered it into the
address bar for that iframe window).
Still no luck!
Anyone know why this is happening, or
have any suggestions to try to get
around this?
As for the code, all it's doing is creating
the src from the backend code on page
load and setting the src attribute
from the back end...
//Backend code to set src
mainIframe.Attributes["src"] = srcWeJustCreated;
//Front end iframe code
<iframe id="mainIframe" runat="server" />
I've made a temporary account for you to login and see exactly what I mean. That way you can use firebug or any of your other debugging techniques to figure out why this isn't working rather than having me try to explain what's going on.
EDIT: Changed the account credentials. Please use this one instead
Username: matt
Password: globalbuying
Please follow this link to get to the login page. One you login with the above credentials it will take you to the main backend page. Click the image on the left that says "Vacations", that will take to you a page with the iframe and will execute the Http Get from there.
If you need more details on what's going on in the behind code, etc., let me know and I'll post them.
Thanks,
Matt
After working my way through the HTTP requests with Fiddler2, comparing different browsers, I found that IE makes the request just fine, but fails to set any cookies in the iframe.
I also noticed that if I open that framed page by itself it does work. Even more so, after logging out again there, the iframed version works too. That's because it then already has a session cookie and the iframe no longer needs to set it.
It turns out that this is a known security restriction: IE blocks cookies in iframes. But this can be overcome with the use of the Platform for Privacy Preferences (P3P).
Here are a few links that should help you fix the problem. Starting off with another (answered) question on StackOverflow:
Cookie blocked/not saved in IFRAME in Internet Explorer
Privacy in Internet Explorer 6
IE Blocking iFrame Cookies
The example page you provided is working for me in IE8. The iframe is not as tall as in chrome, but it does have the correct page in it.
As an aside, please note that passing logon credentials via the query string is extremely unsecure and open to various exploits.
It seems that the ampersands in the iframe's URL are HTML-encoded (&).
I think that might cause IE to choke on identifying the param names. Does the problem still occur if you use plain ampersands in the URL?
If the encoding on the src attribute is happening implicitly, you might want to consider using a Literal control for testing purposes and set its Text property to the entire iframe tag to avoid any unwanted encoding.

Resources