0

This is a website which is relevant to the topic that I am researching - getting an IFrame's current URL address from another domain.

Here it is: http://hidemyipaddress.org/ (to use it simply go to the bottom, enter a website address and click "go").

You can surf any website through their website - and the amazing thing is that they can keep track of your current location, and even show it to you. (Here is a picture to illustrate: http://img199.imageshack.us/img199/6343/image2eb.jpg)

The reason I am asking is because I am trying to do the same thing.

How is this possible, isn't that XSS or something? Thanks for taking your time on this.

user1938653
  • 611
  • 1
  • 9
  • 21
  • 1
    There is no iframe. The page is proxied and the header is inserted in. – Blender May 08 '13 at 00:07
  • Once you'll browse a website through theirs and click on a random link on that website, "hidemyipaddres.org" will be able somehow to detect even the link which you have clicked on. Are you sure there isn't an ifame? so how are they able to detect what I just described? – user1938653 May 08 '13 at 00:12
  • 1
    Check the source. There's no iframe. It's proxied serverside, so there are no cross-origin restrictions. – Blender May 08 '13 at 00:13

1 Answers1

0

This is web based proxy. When you enter an address into the proxy address input and hit search, you are requesting that the proxy server retrieves the website for you. The proxy server requests the page you have asked for, parses the HTML so that all URIs are "proxied URIs", adds any additional HTML such as banners and then returns the page in the http response.

If there were an iframe, the current URL of the iframe would actually be on the same domain. It's a proxy, so the server at hidemyaddress.org is actually returning the html to your client. Furthermore the address of an iframe would be irrelevant. The uri in that address box would just displays the address that you requested. It would not reflect on the src of an iframe or the current location of that frame.

Matt Esch
  • 22,661
  • 8
  • 53
  • 51
  • Thanks for your detailed answer. Is it an easy task to do what they just did? any demonstration of how to start would be great. – user1938653 May 08 '13 at 00:14
  • It's certainly not trivial to do from scratch. There are a number of web based proxy servers that you can download and run. Do you have a setup/language in mind? – Matt Esch May 08 '13 at 00:20
  • Does it have to be through proxy in order to work? I only need to make my system similar to "hidemyipaddress.org" In a way that a user can surf any other site through my site, and my site will be able to detect the user's current URL, and show it to him as a $value. I prefer the English language, and I wouldn't mind if it would be proxy-based if it has to be. – user1938653 May 08 '13 at 01:25
  • Well, given the cross-domain limitations of iframes, I don't think you have any other option. I'm not sure what you're attempting to achieve in a broader sense, but I am finding it hard to find a good reason to intercept this information otherwise. – Matt Esch May 08 '13 at 03:08
  • See relevant question: http://stackoverflow.com/questions/5975526/iframe-onload-event – Matt Esch May 08 '13 at 03:11
  • Alright then... if it has to be with proxy, so be it. Is there any proxy-based system that could help? By the way, that relevant question did not work for me. – user1938653 May 08 '13 at 11:01