开发者

Running a bookmarklet on an iFrame that is coming from a different domain

开发者 https://www.devze.com 2023-01-31 11:58 出处:网络
Is there any way to run a bookmarklet on an iFrame which is from a different domain? For example, I have a page loaded from http://example.com, which has an iFrame whose source is set to http://examp

Is there any way to run a bookmarklet on an iFrame which is from a different domain?

For example, I have a page loaded from http://example.com, which has an iFrame whose source is set to http://example2.com. When I run the bookmarklet, it is always run on http://example.com, since that is the main page. I want to run it on the other iFrame though.

When I attempt to interact with the iFrame (e.g. by changing its source attribute to javascript:alert('test')), Chrome shows the following error:

Unsafe JavaScript attempt to access frame with URL http://example.com from frame with UR开发者_如何学编程L http://example2.com. Domains, protocols and ports must match.

I tried dragging and dropping the bookmarklet into the frame, but it says:

Failed to load resource

Is there any way for me to interact with an iFrame using a bookmarklet in Chrome?


There is a way to do cross-domain message-passing (not arbitrary code execution) using window.postMessage, yet all a frame A can do to frame B (when they are not of the same origin) is passing it a message hoping that B has a callback function listening for this message.

So here if you control exemple2.com (what's in the frame that don't get the bookmarklet), you can make the bookmarklet pass a message to the iframe and handle it in the iframe.

Else I don't think you have a solution here, except very complicated ones (like proxying).

Other links:

  • In-depth article about same origin policy and its implementations in browsers
  • A cross-browser, backward compatible postMessage attempt (as jQuery plugin)


iFrames have alot of security on them as do ajax calls.

Any attempt to use these in a cross-domain manner will result in a security error.

Imagine you were able to interact with other iFrames on different domains. You would be able to make an iFrame (like facebook login's page) that had width and height of 100% and add a function to execute on a submit event which would email you the username and pass before submitting.

So you're gonna have a lot of trouble accomplishing what you're trying to do. You basically can't mess with a page that you don't own. You can use firebug to edit it with the html tab though.

Hope that helps


One option if you are not in control of the page or the iframe is to load the iframe into a new window. The src attribute of the iframe is available to read by the parent JS, which can then open a new tab or window. The user can then click on the bookmarklet a second time to load it into this new page.

0

精彩评论

暂无评论...
验证码 换一张
取 消