2

suppose we have 

<html>
  <body>
  <object width="435" height="350" type="application/x-shockwave-flash" data="http://www.youtube.com/v/SkPqgvQg3Mg"></object>
  </body>
</html>

so after the youtube video gets loaded onto html page we get a new html page inside if we inspect element onto the video.

Now i want to style the inline html inside the object tag.
is there any way to do it??

manish kumar
  • 4,412
  • 4
  • 34
  • 51

2 Answers2

5

Short answer: no.

There is no way to do what you want with CSS included in your page because CSS only applies inside document boundaries.
And you can't circumvent this with JavaScript either, by dynamically inserting stylesheets inside the object's (/iframe) content, due to the same origin security policy, which prevents you from affecting the content of an embedded document that is on a different domain as your container page.
The kind of vulnerabilities that this security policy prevents are called cross-site scripting vulnerabilities.

lleaff
  • 4,249
  • 17
  • 23
  • cant i manipulate the css either external css after tag or styling through javascript after the content has loaded. – manish kumar Feb 06 '17 at 08:40
  • @manishk No, unfortunately allowing this kind of cross-domain interference would open the door to [XSS attacks](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). @ Quentin Yea, that wasn't the intended meaning but I edited for clarity. – lleaff Feb 06 '17 at 08:44
  • XSS is when user input (which could be supplied by a third party, e.g. by redirecting the user from a malicious site to a URL with the input embedded in it by the redirector) gets treated as code by the vulnerable site. It isn't the same as what the same origin policy prevents (which doesn't have a special name, because the same origin policy has always prevented it, so nobody has had to worry about it). – Quentin Feb 06 '17 at 09:02
  • @Quentin I've always interpreted the definition of cross-site scripting as more general than just user input being treated as code, and a quick Google research doesn't disprove this interpretation. I mean, if you could _script across sites_, that would be a _cross site scripting_ vulnerability, wouldn't it? – lleaff Feb 06 '17 at 09:08
-1

-EDIT-

I think it would be best to use iframe,not object,since it's deprecated as of January 2015

SOURCE

As for changing the css I don't think it's possible for files from other sites

ii7scw
  • 351
  • 1
  • 3
  • 17
  • "You should be able to do it with Javascript or CSS." — No, for pretty obvious security reasons, you can't modify other websites with client side JavaScript, even if they are in a frame. – Quentin Feb 06 '17 at 08:38
  • My bad...you learn something new every day...let me edit it – ii7scw Feb 06 '17 at 08:39