tags:

views:

112

answers:

3
Q: 

Track button click within a iframe

Hi,

Is it possible to track a button click within an iFrame if i don't have control over the external website or it's contents?

(very fictionnal example)if i had an iframe like this:

<iframe src="http://www.johnny.com/plugins/like.php?href=http%253A%252F%252Fexample.com%252Fpage%252Fto%252Flike&amp;amp;layout=standard&amp;amp;show_faces=true&amp;amp;width=450&amp;amp;action=like&amp;amp;font&amp;amp;colorscheme=light&amp;amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:450px; height:80px;" allowTransparency="true"></iframe>
A: 

Not reliably across browsers, no.

That would easily qualify as a cross site scripting (XSS) exploit and be caught by the majority of modern browsers.

Justin Niessner  2010-05-12 15:40:22
+1  A: 

If you are asking whether you can find a button in the DOM of the HTML that has your iframe and then add an onclick event to it, then yes, if you are served from the same domain.

 window.parent.getElementById()

will work -- so will any other DOM functions.

If you are not on the same domain, then the browser won't let you. It's called cross-site scripting (XSS) and is considered a security violation.

If you are on another domain, the owner did add your iframe, right? If so, have them also add in the events. They can pass in variables and call helper functions on your iframe. So they could pass the button in and you could add the event to it.

Lou Franco  2010-05-12 15:42:03
We are on one domain where we have installed an iFrame widget refering to another domain, so it's a case of XSS, understood.Would it be possible to add somekind of overlay (assuming we know the widget position on the page) to track the "onclick" event and to pass it to the iframe ?Unfortunately, we cannot ask the 3rd party widget provider to add anything to their iFrame.
PhilGo20  2010-05-12 16:00:12
Here's the thing -- I hope not. XSS is a security violation for a reason. Should an ad be able to read my mail or trick me into doing something I can't see. If the site owner won't cooperate, anything you do should be stopped by the browser. If you find a way -- it's a security bug.
Lou Franco  2010-05-13 00:31:20
+1  A: 

The answer is : not possible at all without some kind of cooperation with the remote site.
That is due to the Same Origin Policy kicking in for your protection.

If you have some kind of cooperation then you could pull this of using cross-domain messaging (eg. with easyXDM).

Sean Kinsey  2010-05-12 16:08:30
thanks for the easyXDM link
PhilGo20  2010-05-12 16:58:16

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript