1

I am trying to access the iframe DOM elements through a Chrome browser extension with something like document.querySelector("iframe").contentWindow.document The iframe's source is cross-domain. I'm getting a permission error, which Google tells me is because browsers specifically prohibit this.

However, I do have access to the raw DOM on my side from the inspector tool. If I run the same command in the console after inspecting element, I'm able to access the exact inner-HTML element I need with no permission error using the same exact command. I think this is because I'm looking at the DOM rather than trying to grab it from the source, which is what I need, just inside the chrome extension instead and not the chrome console. Is it possible to simply read the DOM of an inner-HTML element in an off-origin iframe? Even if it's not through the chrome extension?

At this point I'm thinking I'd have to edit the chrome browser itself. Please help.

Adam
  • 11
  • 2
  • look it, pls - https://stackoverflow.com/questions/9393532/cross-domain-iframe-issue – s.kuznetsov May 04 '21 at 10:46
  • I don't have access to the other site. I'm wondering where the disconnect is between the inspector console and my extension's javascript. Where can I automatically access what my console sees? Since it seems like that's where I'm able to read the DOM directly. – Adam May 04 '21 at 10:49
  • Is it possible from parent page? No – charlietfl May 04 '21 at 10:56
  • 1
    I don't need to edit or modify anything in the iframe HTML, just read it. For example, on a site's iframe there's a `balance` tag, where I'm trying to read the balance. I can access the balance in the browser console once the DOM loads in the inspector through `document.querySelector(".balance")`, but not through a script. If I could access the chrome inspector through say, a python script, that would be perfect, but I haven't found anything useful. – Adam May 04 '21 at 12:10
  • 1
    Does this answer your question? [Cross domain iframe issue](https://stackoverflow.com/questions/9393532/cross-domain-iframe-issue) – David Bradshaw May 06 '21 at 12:52
  • The built in Developer tools have NOTHING to do with XSS. Could you imagine going to some random site and they had access to your email or bank account? Hence why you can't do this stuff. – epascarello May 06 '21 at 12:58

1 Answers1

1

You can not do this on cross-domain iframes due to security restrictions in the browser. You only option is to get the other site to enable CORS for your site

David Bradshaw
  • 11,859
  • 3
  • 41
  • 70