0

I'm trying to get the links to all images and get them copied with click event in the iframe but it gets loaded from the external server src. I've tried to access the tags inside iframe with contentDocument and contentWindow.document. In the first case I'm getting null value, in the second - "Blocked a frame with origin from accessing a cross-origin frame".

Is there a way to access this iframe and change its content?

Nikita Lvov
  • 97
  • 2
  • 14
  • Do you control the server that the embedded page is loaded from? – easrng Oct 23 '19 at 02:32
  • @Perhapsyouseethisname. nope, I don't control it – Nikita Lvov Oct 23 '19 at 02:36
  • You can’t do it, sorry. – easrng Oct 23 '19 at 02:39
  • You can. Simply declare a content script that matches that iframe's URL and add `"all_frames":true`. That content script will be running inside the iframe so it'll be able to access its contents directly via `document` and `window`. You can use [messaging](https://developer.chrome.com/extensions/messaging) to communicate. – wOxxOm Oct 23 '19 at 04:14
  • Possible duplicate of [access iframe content from a chrome's extension content script](https://stackoverflow.com/questions/11325415/access-iframe-content-from-a-chromes-extension-content-script) – wOxxOm Oct 23 '19 at 04:15
  • Verify if it works from the console. I had this issue and it was a matter of finding the correct javascript context. I would like to see your extension code if possible... – Jason Owens Oct 23 '19 at 22:02

1 Answers1

0

Is there a way to access this iframe and change its content?

Yes, via browser messages if you are able to and back from it, via postMessage. However iFrames are built with security in mind and sandboxing is one way that is done.

it gets loaded from the external server src.

If you can postMessage to the iframe from here, listen for it in the iframe / app, tell the app to get the data you need and post it back to the external server - that's how we are working with iframes, but its frontend not server side, if its server side... there must be another solution.

--disable-web-security on the iframe sandbox is one flag you can play with, but it is not recommended.

The “Same Origin” policy states that:

  • if we have a reference to another window, e.g. a popup created by window.open or a window inside , and that window comes from the same origin, then we have full access to that window.
  • otherwise, if it comes from another origin, then we can’t access the content of that window: variables, document, anything. The only exception is location: we can change it (thus redirecting the user). But we cannot read location (so we can’t see where the user is now, no information leak).
Jeremy
  • 1,170
  • 9
  • 26