How to get current page loaded url from iframe [duplicate]

前端未结

关注

 2  936

南方客

相关标签:

2条回答

我寻月下人不归

2021-01-12 02:50
For a matter of security you are allowed to retrieve the URL as long as the contents of the iframe, and the referencing javascript, are hosted in the same domain.

Should it be the case, you can do something like:
```
document.getElementById("frameid").contentWindow.location.href
```
If the two domains are different then you'll have all the restrictions that apply to the cross-site reference scripting domain. Example:
```
document.getElementById("frameid").src = 'http://www.google.com/';
alert(document.getElementById("frameid").documentWindow.location.href);

Error: Permission denied to get property Location.href
```
For sure (except if you find some huge security flaw in your browser) you simply cannot achieve what you need using javascript in the parent document. Let's see with a simple example why. If the browser allowed what you need, you could easily:
1. Create a page, with a hidden iframe (e.g. http://malicous.com/dont-trust)
2. In that iframe, open a child page with the login process of some website (e.g. http://insecure-web-site.com/redirectlogin)
3. If cookies for child are present and under certain circumstances, the page inside the frame will redirect to the real website, proceeding with user login.
4. From the parent page now you will be able to read all the sensitive informations gone through the login process contained inside the URL, e.g. access tokens, session IDs, ...
5. At this point the victim website and its users are in front of a wide new set of possible security threats...
0 讨论(0)
发布评论:

提交评论
- 加载中...
暗喜

2021-01-12 03:02
Seem likes there is a hack to make this work and I actually can't believe it's even allowed. This is how it seems to work:

1) Change the domain to match iframe:
```
document.domain = <iframe_domain>
```
2) Get the URL like so:
```
console.log($('iframe')[0].contentWindow.location.href)
```
In my opinion, this should not have worked, but it does. I tested with the following in Safari, Chrome and Firefox all latest version as of 02/01/2017:

Main: http://subdomain.website.com iframe: http://www.website.com

What do you think? Is this permanently allowed or is it an oversight that will be patched soon?

Update

I started another thread for discussion here regarding browser security.

Isn't This A Serious Browser Security Issue? RE: Cross-Domain iframe Hack

Update 2

Seems like this will always be supported for specific cases.

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
0 讨论(0)
发布评论:

提交评论
- 加载中...

热议问题