Is it possible to find a cross-domain iframe's new URL after a redirect?

Question

I'm trying to post to the login form of an application on another subdomain of my site. It's a third party app that I don't have source access to.

I know that you can't access most features of a cross-domain iframe because of same origin policy. All I need to access, however, is the URL that's been redirected to (via JavaScript) within the iframe. It has a session token that I want to pass through.

That seems like something that might be safe enough to be allowed, but I haven't found a way to do it yet. I'm using jQuery, and I've tried $('iframe').contents(), but I seem to have no permissions at all on that object. I've also checked $('iframe').attr('src'), but it remains as the pre-redirect URL. Is there another way?

Answer 1

No, you don't have access to any properties within an iframe. You only have access to the outer positioning and styling properties.

This is why frames are such a pain to work with. I usually only use them if I don't care what is done within them.

Can you not do a server-side authentication and token passing? Instead of having the client do the authentication, can you not do that on your server? You may need to do some extra work to create the HTTP request and parse the response, but you avoid any iframe issues.

Bottom line is iframes probably aren't the best to rely on(especially when it comes to cross-browser functionality) for important things like authentication.

Answer 2

Try this example (method 2) in which the author sets up another iframe inside the first, loading a page at the original domain. The inner page is allowed to call javascript on the outer parent, since they are loaded in the same domain. Simply load the inner page with appropriate parameters, which can be passed on to the parent.