How to get current page loaded url from iframe

Question

I'm using iframe to load faroo.com as default src in frame when i search and move to other webpage using faroo.But still in the iframe src its display faroo.com only i wanted to capture url of page that has loaded in iframe

<!DOCTYPE html>
<html>
<head>
    <script src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.11.1.min.js"></script>
    <script type="text/javascript">
    $(function(){
        $('#frameid').load(function(){
            var z=$('#frameid').attr('src');
            console.log('hi '+z);
        });

        $('#clicked').on('click', function(){
            $('#frameid').attr('src', 'http://www.faroo.com/');    
        });
    });

</script>

</head>
<body>

<iframe width="100%" height="500px" id="frameid" src="" name="iframe_a" ></iframe>

<p><input type="button" value="click me!" id="clicked"></p>

</body>
</html>

The o/p at console.log is always faroo.com not the current website that has loaded

Answer 1

For a matter of security you are allowed to retrieve the URL as long as the contents of the iframe, and the referencing javascript, are hosted in the same domain.

Should it be the case, you can do something like:

document.getElementById("frameid").contentWindow.location.href

If the two domains are different then you'll have all the restrictions that apply to the cross-site reference scripting domain. Example:

document.getElementById("frameid").src = 'http://www.google.com/';
alert(document.getElementById("frameid").documentWindow.location.href);

Error: Permission denied to get property Location.href

For sure (except if you find some huge security flaw in your browser) you simply cannot achieve what you need using javascript in the parent document. Let's see with a simple example why. If the browser allowed what you need, you could easily:

1. Create a page, with a hidden iframe (e.g. http://malicous.com/dont-trust)
2. In that iframe, open a child page with the login process of some website (e.g. http://insecure-web-site.com/redirectlogin)
3. If cookies for child are present and under certain circumstances, the page inside the frame will redirect to the real website, proceeding with user login.
4. From the parent page now you will be able to read all the sensitive informations gone through the login process contained inside the URL, e.g. access tokens, session IDs, ...
5. At this point the victim website and its users are in front of a wide new set of possible security threats...

Answer 2

Seem likes there is a hack to make this work and I actually can't believe it's even allowed. This is how it seems to work:

1) Change the domain to match iframe:

document.domain = <iframe_domain>

2) Get the URL like so:

console.log($('iframe')[0].contentWindow.location.href)

In my opinion, this should not have worked, but it does. I tested with the following in Safari, Chrome and Firefox all latest version as of 02/01/2017:

Main: http://subdomain.website.com iframe: http://www.website.com

What do you think? Is this permanently allowed or is it an oversight that will be patched soon?

Update

I started another thread for discussion here regarding browser security.

Isn't This A Serious Browser Security Issue? RE: Cross-Domain iframe Hack

Update 2

Seems like this will always be supported for specific cases.

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy