CODEWITHSUNDEEP
javascriptiframexsspolicycapability
monkeysword
monkeysword

Reputation:

Accessing iframe elements across different domains

I understand that cross site scripting (xss) is not good and is not supported in most browsers. However, I am building a page to be used only by about 3 or 4 people within my company. On this page I have a frame from another domain and I need the parent page to be able to access the values within that frame.

So my question is, is there a way (changing settings, etc), in either Firefox or IE7, to allow this to happen? Preferably (though not necessarily) any setting change would be for my domain explicitly.

I've found some help online that says that in FF you can add capability.policy to allow this. I haven't had any luck though, perhaps that isn't supported in FF3.

Upvotes: 2

Views: 6795

Answers (3)

Kyle Cureau
Kyle Cureau

Reputation: 19386

For those looking, there is a great backwards-compatible, javascript-only way to communicate across domains. Short, easy code as well. Perfect solution? As long as you have request modifications to the parent and the child:

http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/

Upvotes: 1

outis
outis

Reputation: 77440

Another option is to set up a proxy page so that the pages appear to originate in the same domain. Proxy pages can be terribly vulnerable to XSS, depending on implementation. Even though you state that that's not a concern here, it's important to consider.

Upvotes: 0

Yrlec
Yrlec

Reputation: 3458

A couple ideas of the top of my head:

  • In IE you can change the settings for the security zone that your site is in. I suggest you add the domains to "Trusted sites" and then make sure that ""Access data sources across domains." is enabled for the Trusted Sites-zone. You can find more info here.

  • If you have a domain-name which you have control over, maybe you can set up sub-domains which point to the sites in the different frames? Thereby fooling the web browser that they are part of the same site?

  • If you like coding you can create a custom app which uses the IE-browser control and implements its own IInternetSecurityManager (http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx) which allows cross-domain script access.

Upvotes: 0

Related Questions