views:

1182

answers:

2

Is there any way to grab any information from the top from within an iframe on a separate domain? Somebody has tasked me with validating that their advertising is not next to things like pornography, etc... but their ads are always inside an iframe on publisher sites.

Interestingly, when I put twitter.com in an iframe, they have iframe busting technology turned on - like so:

<script type="text/javascript">
//<![CDATA[
    if (window.top !== window.self) { setTimeout(function(){document.body.innerHTML='';},1);window.self.onload=function(evt){document.body.innerHTML='';};}
//]]>
</script>

What strikes me is that, as a different domain, they still have the ability to get window.top. However, when I try to extend this functionality to window.top.location or window.top.href to get the URL of the top window, I get

uncaught exception: [Exception... "Component returned failure code: 0x8007000e (NS_ERROR_OUT_OF_MEMORY) [nsIDOMNSHTMLDocument.write]"  nsresult: "0x8007000e (NS_ERROR_OUT_OF_MEMORY)"  location: "JS frame :: http://tester.tester.com/iframe3.html :: <TOP_LEVEL> :: line 9"  data: no]
http://tester.tester.com/iframe3.html
Line 9

which is really just a permission error that is being misreported by Gecko (I think).

Any thoughts on this? Is an equality statement available because the iframe doesn't actually get the data while getting the data itself is not available?

Any information I can get would be better than nothing, so please feel free to put in partial answers. Thanks.

+1  A: 

No there's not. It's due to Cross-site scripting attacks.

Seb
+1  A: 

Is an equality statement available because the iframe doesn't actually get the data while getting the data itself is not available?

It's an ancient quirk of JavaScript that you can always get the ‘window’ object of a cross-domain frame/iframe/parent/opener. But — for obvious security reasons — you can't access most members of the object. There have occasionally been ways to circumvent these restrictions in the past due to browser bugs, but nothing you can rely on.

Pretty much the only thing you can usefully do with an unknown window object is check to see if it's the same object as some other known window object, such as the current one.

If you want to test whether an unknown window is at least inside your own domain, you can try to access otherwindow.location inside a try...catch block.

Is there any way to grab any information from the top from within an iframe on a separate domain?

No, but you can record the ‘Referer’ header at the HTTP server end to see what page included the <iframe>. But surely your advertising network should be doing this for you already anyway?

if (window.top !== window.self)

Curious; window.self is the same thing as window; I don't know why you'd ever use the longer version. The shortest idiom for this test is:

if (top!==self)

which works as long as you aren't defining any other variables called ‘top’ or ‘self’.

bobince
Unfortunately, the ads we would serve would already be in an iframe, so we're 2 layers down on the iframe. Everything else is very helpful. Thanks!
Adam Nelson
Shame... is there really no reporting from the ad network that runs the in-between frame? I'd certainly want to know where my impressions were going...
bobince
There's no real time reporting that I've found yet. Keep in mind that we need the data at the moment of interaction, otherwise a nefarious site will simply show us pages that don't raise flags - although it is a start to do this in a batch method.
Adam Nelson