Question

125

How to get current page loaded url from iframe

rated 0 times [ 126] [ 1] / answers: 1 / hits: 35890 / 10 Years ago, fri, september 26, 2014, 12:00:00

I'm using iframe to load faroo.com as default src in frame when i search and move to other webpage using faroo.But still in the iframe src its display faroo.com only i wanted to capture url of page that has loaded in iframe

<!DOCTYPE html>

<html>

<head>

    <script src=http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.11.1.min.js></script>

    <script type=text/javascript>

    $(function(){

        $('#frameid').load(function(){

            var z=$('#frameid').attr('src');

            console.log('hi '+z);

        });



        $('#clicked').on('click', function(){

            $('#frameid').attr('src', 'http://www.faroo.com/');    

        });

    });



</script>



</head>

<body>



<iframe width=100% height=500px id=frameid src= name=iframe_a ></iframe>



<p><input type=button value=click me! id=clicked></p>



</body>

</html>

The o/p at console.log is always faroo.com not the current website that has loaded

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

rayvencallij

Add To Favorites

Follow

Total Points: 93

Total Questions: 80

Total Answers: 85

Location: Argentina

Member since Thu, Mar 18, 2021

3 Years ago

answered 10 Years ago janjadonb · Accepted Answer

For a matter of security you are allowed to retrieve the URL as long as the contents of the iframe, and the referencing javascript, are hosted in the same domain.

Should it be the case, you can do something like:

document.getElementById(frameid).contentWindow.location.href

If the two domains are different then you'll have all the restrictions that apply to the cross-site reference scripting domain. Example:

document.getElementById(frameid).src = 'http://www.google.com/';

alert(document.getElementById(frameid).documentWindow.location.href);



Error: Permission denied to get property Location.href

For sure (except if you find some huge security flaw in your browser) you simply cannot achieve what you need using javascript in the parent document. Let's see with a simple example why. If the browser allowed what you need, you could easily:

Create a page, with a hidden iframe (e.g. http://malicous.com/dont-trust)

In that iframe, open a child page with the login process of some website (e.g. http://insecure-web-site.com/redirectlogin)

If cookies for child are present and under certain circumstances, the page inside the frame will redirect to the real website, proceeding with user login.

From the parent page now you will be able to read all the sensitive informations gone through the login process contained inside the URL, e.g. access tokens, session IDs, ...

At this point the victim website and its users are in front of a wide new set of possible security threats...