2

Is it possible to get around the security and mimick either a full-browser or mobile browser within a webpage?

I had an idea to set the HTML manually, using an AJAX/XMLHttpRequest ("Get" request)

document.querySelector('#myiframe').contentWindow.document.write("<html><body>Hello
world</body></html>");

(from How to set HTML content into an iframe)

Can anyone verify this is possible? I'm guessing you would lose relevant site date (cookies, cache, etc)

Community
  • 1
  • 1
neaumusic
  • 10,027
  • 9
  • 55
  • 83
  • To do an _XMLHttpRequest_ to a different _origin_, assuming it's the same _protocol_, the server you're sending the request to needs to send the correct _CORS_ headers in the response. This is to stop you from, say, attempting to access someone's internet banking. – Paul S. Nov 29 '14 at 23:27
  • I'm familiar with CORS but is it really that simple? It seems arbitrary that only the top-level browser (Chrome) can use http:// protocols, but everywhere I look, people say it's not possible – neaumusic Nov 29 '14 at 23:31
  • It's not "simple" because it means you can't request random sites, you can only access servers you have control over. The protocol doesn't have to be _http:_, it could be _https:_ and hey if your browser permits it _file:_ or something else. The bit about the protocols is that you can't be on e.g. a _https_ resource and do an _XMLHttpRequest_ for a _http_ resource. Not sure about _CORS_ working if you try to change ports, either. – Paul S. Nov 29 '14 at 23:41

1 Answers1

0

Is it possible to get around the security

Yes, many browsers let you start them in a security-off mode, e.g. on chrome you run the program with the --disable-web-security flag. However, you should never ask a client to do this.

An alternative way would be to write a Java applet, or some other third-party plugin, which fetches the resources you want and then passes it over to the browser with your favourite method, from which you can use JavaScript on the data as desired. This method would lose things like cookies, and might be exploitable so I wouldn't recommend it.

mimick either a full-browser or mobile browser within a webpage?

Finally, if you don't mind the "URL bar" displaying the wrong thing when a user navigates, you could just use the default behaviour. This method is totally acceptable and doesn't circumvent any security.

Paul S.
  • 64,864
  • 9
  • 122
  • 138