1

I have an HTML page with an iframe included from a cross domain that doesn't belong to me.

I need to do some basic javascript modifications in the iframe (write value and fire up an event -> form processing).

Because of the same origin policy I'm not allowed to do this. However, I need to do it, so I'm searching for a workaround.

The solution is just important that I can run a script for myself. It is enough if it works in one browser and I don't need security for myself.

On my research I have found a lot of ways to break the same origin policy like document.location (in FF only with similar locations), JSONP/sendMessage (I need to be the owner of both domains) and so on, nothing that works with an iframe of a page that doesn't belong to me.

Kara
  • 6,115
  • 16
  • 50
  • 57
Sebastian Bechtel
  • 363
  • 1
  • 3
  • 12

1 Answers1

3

The only "workaround", if you can't make the other site include the relevant CORS headers, would be to fetch the iframe content server side and serve it as coming from your own domain.

The reason there isn't simpler workaround is due to why there is this same origin policy : to protect users.

Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
  • CORS is not possible. The idea with the server side "proxy" (is this the right term?) could be working, I need to auth before serving the iframe but maybe it is possible for me to auth, proxy, js manipulate it. I'll try! – Sebastian Bechtel Mar 17 '13 at 11:38