4

Summary: I am working on an electron app where we load a clients web app into an iframe and at one point the code in this iframe calls window.top.close() which causes the ui to become unresponsive. The client is not able to fix this functionality at this point so we need to handle it ourselves. What are some options, if there are any, for resolving this issue?

I am thinking I should be able to loosen some security on the iframe. Maybe with some CSP on the parent? I see some frameworks like NodeWebkit have custom v8 handled html attributes to force iframes to return its own window when trying to access window.top or window.parent, but i feel like there has to be away to just replace wondow.top.close

  • iframe is already in a webview and cannot use nested webviews
  • iframe content is a different domain
  • iframe cannot be sandboxed because client code runs flash plugins
  • App in question is Electron 1.3.0

What I have tried: Replacing window.top.close: replacing iframe.contentwindow.top.close from the parent window context works if i load content from the same domain but does not for the client cross domain code. I do not get any errors, the ui just locks up

jumpdart
  • 1,702
  • 16
  • 35
  • _“replacing `iframe.contentwindow.top.close` from the parent window context works if i load content from the same domain”_ - since you are just diving into the iframe here, only to then go up to your main window again, that should be the same as if you had “replaced” `window.close` resp. `self.close` in your main window directly … those would just not be crossing domain boundaries, so that should work in any case. – CBroe Jul 09 '18 at 14:06
  • @CBroe in this case yes, thank you. Any insight on why the iframe access from cross domain iframe content appears to cause the renderer to crash? – jumpdart Jul 09 '18 at 14:11
  • A also found a blink bug seemingly related to this but the chrome version in electron 1.3.0 should have already addressed this. https://bugs.chromium.org/p/chromium/issues/detail?id=463191 – jumpdart Jul 09 '18 at 14:13
  • This seems like a similar discussion - https://stackoverflow.com/questions/369498/how-to-prevent-iframe-from-redirecting-top-level-window – jjbskir Jul 09 '18 at 16:03
  • see this https://stackoverflow.com/questions/50352346/javascript-track-iframes-redirecting-top-window/50975668#50975668 there are several options. – Emeeus Jul 16 '18 at 00:20

1 Answers1

2

See if doing the following works:

1) Load the content into the webview that you are trying to manipulate.

2) Use the webcontents.executejavascript to run the javascript you need to prevent access to top

Spartan 117
  • 520
  • 2
  • 6
  • 21
  • Yeah this is pretty much exactly what I had to do. I also needed to tweak the webview's node integration to get the content to play nice. – jumpdart Jul 16 '18 at 13:39
  • accepting this answer as it is close to what I had to do and is the only answer but I will change it if someone helps me identify/solve the original issue – jumpdart Jul 16 '18 at 13:40