1

I am particularly interested in simulating arrow keys.

Although there are many ways to simulate keys, like in this Keydown Simulation in Chrome fires normally but not the correct key

It doesn't work if it is on a iframe

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
user279244
  • 961
  • 5
  • 18
  • 32
  • 1
    And it doesn't work on an iframe for a reason... – gkalpak May 28 '13 at 13:19
  • 2
    I don't think this can be done. [Same Origin Policy](https://developer.mozilla.org/en-US/docs/JavaScript/Same_origin_policy_for_JavaScript) will prevent you from injecting events in the first place. – Frédéric Hamidi May 28 '13 at 13:19
  • If you don't provide us with feedback, it is very hard for people providing answers like me to know if you resolved the situation or are still having problems. What's up? – Benjamin Gruenbaum Jun 09 '13 at 21:13

2 Answers2

3

Imagine the following scenario.

  • Bob is surfing the internet and goes to your site.
  • Eve's site opens an iframe with content from http://bobsbank.com
  • Eve's site stars injecting keystrokes and clicks to that site, sending all of Bob's money to Eve's account

This sort of scenario is why what you're trying to do is impossible.

The same origin policy will prevent it.

Benjamin Gruenbaum
  • 270,886
  • 87
  • 504
  • 504
  • 1
    +1, exactly my point. This kind of attack can't be prevented with typical CSRF counter-measures (in fact, afaik, all the CSRF counter-measures are actually based on inability of the container frame to modify the contents of the containee). – raina77ow May 28 '13 at 13:23
  • 1
    @raina77ow Correct :) Worth mentioning that you can't really simulate keystrokes in the same domain, or even in your own page with JavaScript, only predict what they attempt to do and act accordingly, as the DOM Events model considers them to be "untrusted events" (since they are not the result of user interaction directly). http://www.w3.org/TR/DOM-Level-3-Events/#trusted-events – Benjamin Gruenbaum May 28 '13 at 13:33
0

if you can modify the html from the page in the iframe you can use this what is called cross document messaging. http://caniuse.com/#feat=x-doc-messaging you would fire an event from the top frame and the iframe page would recive the event and interpret the outpout and fire an event (ie key stroke inside your frame).

If you are looking for this to work on older browsers there is a jquery pluing that will work with newer and older browsers: http://benalman.com/projects/jquery-postmessage-plugin/

user2428775
  • 26
  • 3