tags:

views:

486

answers:

2
+4  Q: 

Detect when iframe is cross-domain, then bust out of it

I have a page with a large iframe that contains a majority of the content. The user interacts with the website by clicking around within the iframe. The functionality I'm trying to build is: When a user navigates away from my site, I do them a favor and bust out of the iframe.

The iframe has an onload event which is fired every time a new page is loaded, cross-domain or not.

<iframe id="testframe" src="http://mysite.com" onload="testframe_loaded()"></iframe>

Each time the event is fired, I'm looking for some way to:

A) Detect when the user navigates to a different domain

B) Bust out of the iframe.

I suspect that B isn't possible, since browsers don't give access to

document.getElementById("testframe").contentDocument.location.href

when the iframe is cross-domain. I'm also not sure whether or not A is possible.

If anybody has ideas as to how to accomplish this, or is positive that it can't be done, I'd appreciate the advice.

Thanks

+3  A: 

You can do A, since if you get a security error (which you can catch), that's means they're cross-domain :) Then you can resize the iframe to be the whole page. But I think you're right you can't actually bust out, without explicit cooperation from the other domain.

EDIT: You're right you don't need to poll. Here's the basic code:

<html>
<head>
<title>Cross-domain frame test</title>
<!-- http://stackoverflow.com/questions/2365822/detect-when-iframe-is-cross-domain-then-bust-out-of-it/2365853#2365853 -->
<script type="text/javascript">
function checkForCross()
{
  var iframe = document.getElementById("myFrame");
  try
  {
    var loc = iframe.contentDocument.location.href;
  } catch(e)
  {
    iframe.setAttribute("style", "border: 0; margin: 0; padding: 0; height: 100%; width: 100%;");
  }
}
</script>
</head>
<body>
<iframe name="myFrame" id="myFrame" src="child.html" style="height: 50%; width: 50%;" onload="checkForCross()"></iframe>
</body>
</html>
Matthew Flaschen  2010-03-02 18:59:24
I'll test the try/catch approach.. I always forget that JavaScript supports that :) Polling isn't necessary though, since I can just test it each time the iframe's onload event is fired.
Emmett  2010-03-02 19:07:16
This definitely works and demonstrates that A is possible. Unfortunately B still seems impossible -- expanding the iframe works, but it's still wonky because the url in the browser's location bar won't match the site being displayed.I'll try to play around a bit with solutions involving modifying the the links that the other answers suggest, e.g. attaching a click handler to every link that checks if the href attribute is cross-domain.
Emmett  2010-03-02 20:35:44
Emmett, the click handler works, but only for /your/ links, not links within the iframe.
Matthew Flaschen  2010-03-02 20:48:28
A: 

set the 'target' attribute on external links to '_top'.

kennebec  2010-03-02 19:17:38

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security