0

Basicly I have a cross domain iframe and can't enable the allow-scripts flag, but at the same time I need to get the postMessage that is in a <script> tag in the iframe document OR access the iframe contentDocument.

I've tried:

let iframeElement = document.getElementsByTagName('iframe')[0];
let iframeContent = iframeElement.contentDocument
console.log(iframeContent)

But with the sandbox flag I only get a null return.

What I need to be able to do is one of those three options:

  • Add a eventListener to a tag that's insde the iframe contentDocument
  • Get a attr value that's also inside the iframe contentDocument
  • A way to send a JSON from the origin page and get this JSON in the page with the iframe (postMessage)

But all of this without the allow-scripts flag, is what i'm trying to archieve even possible ?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
4rtik
  • 3
  • 3
  • 1
    You cannot interact directly with a cross-origin ` – SLaks Dec 05 '18 at 23:59
  • Isn't there something something like a `allow-post-message` flag ? – 4rtik Dec 06 '18 at 00:06
  • 2
    `postMessage()` is a JavaScript function. If you don't allow JavaScript, you can't run _any_ JavaScript. – SLaks Dec 06 '18 at 00:07
  • Yeah, I figured, thanks for your help. – 4rtik Dec 06 '18 at 00:08
  • 1
    In these situations it's usually a smart idea to explain what it is that you're trying to achieve. There might be other solutions to get the same result, but we're not able to give you those if we don't know what you intend to do. – icecub Dec 06 '18 at 00:09
  • Don't comment that information. Instead, [edit](https://stackoverflow.com/posts/53642613/edit) your question for clerity to everyone that's trying to help you out. – icecub Dec 06 '18 at 00:12
  • done, thanks for the help – 4rtik Dec 06 '18 at 00:18
  • That is completely impossible. – SLaks Dec 06 '18 at 00:21
  • That is exacly what I told my client, but for the sake of it I decided to ask, thank u guys so much for the help. – 4rtik Dec 06 '18 at 00:22
  • @SLaks I think so as well. Though the answer [here](https://stackoverflow.com/questions/13840475/absolute-div-overlay-iframe-borders) got me thinking.. It probably won't work in this case, but perhaps you can have a look? – icecub Dec 06 '18 at 00:22

2 Answers2

0

To quote part of your question,

I need to get the postMessage that is in a <script> tag in the iframe document

If you mean that you need to put or inject a <script> tag which contains postMessaging, then I'm afraid it's not possible because the same-origin policy will prevent it.

If however, you're trying to get access to or listen to a postMessage broadcast from a <script> tag within a cross-origin iframe, then yep, that's exactly what postMessage was designed to achieve. Provided that your message event listener is hosted on the origin as defined in the postMessage's targetOrigin argument.

PostMessage is essentially a contract of trust, to overcome cross-origin barriers; by either having...

  • access and permission to author the contents of the iframe
  • been entrusted to listen to broadcasted messages by way of being hosted on the targetOrigin defined (recommended) or by being on any origin if the targetOrigin has a wildcard '*' value (not recommended)

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#Security_concerns

Wayne
  • 61
  • 1
  • 3
  • Yeah, i'm just trying to listen to a postMessage broadcast from a – 4rtik Dec 06 '18 at 00:46
0

The simple answer is no.

An <iframe> with its sandbox attribute restricting the use of scripts can not execute scripts. So you won't be able to call postMessage() from this iframe's context, nor will you be able to fire a callback to an event listener.

Now, since your document doesn't satisfies the cross-origin policies, you are stuck, with no way to interact with the <iframe>'s document from outside.

The only workaround, if this feature is a must have, would be to use your server as a proxy so that your iframe's content be actually fetched and served by your own server.

This way, no cross-origin issue anymore (if you add the allow-same-origin policy on your iframe) and you'll be able to access your iframe's content from your parent's doc, or even add event listeners, even though still no scripts could run from this <iframe>'s context, everything would be ran from the main's doc's context. (This means still no postMessage() from the <iframe>).

Kaiido
  • 123,334
  • 13
  • 219
  • 285