Okay, I have a page on and on this page I have an iframe. What I need to do is on the iframe page, find out what the URL of the main page is.
I have searched around and I know that this is not possible if my iframe page is on a different domain, as that is cross-site scripting. But everywhere I've read says that if the iframe page is on the same domain as the parent page, it should work if I do for instance:
parent.document.location
parent.window.document.location
parent.window.location
parent.document.location.href
... or other similar combos, as there seems to be multiple ways to get the same info.
Anyways, so here's the problem. My iframe is on the same domain as the main page, but it is not on the same SUB domain. So for instance I have
http:// www.mysite.com/pageA.html
and then my iframe URL is
http:// qa-www.mysite.com/pageB.html
When I try to grab the URL from pageB.html
(the iframe page), I keep getting the same access denied error. So it appears that even sub-domains count as cross-site scripting, is that correct, or am I doing something wrong?
This question is related to
javascript
iframe
cross-domain
I've found in the cases where $_SERVER['HTTP_REFERER']
doesn't work (I'm looking at you, Safari), $_SERVER['REDIRECT_SCRIPT_URI']
has been a useful backup.
In chrome it is possible to use location.ancestorOrigins It will return all parent urls
I just discovered a workaround for this problem that is so simple, and yet I haven't found any discussions anywhere that mention it. It does require control of the parent frame.
In your iFrame, say you want this iframe: src="http://www.example.com/mypage.php"
Well, instead of HTML to specify the iframe, use a javascript to build the HTML for your iframe, get the parent url through javascript "at build time", and send it as a url GET parameter in the querystring of your src target, like so:
<script type="text/javascript">
url = parent.document.URL;
document.write('<iframe src="http://example.com/mydata/page.php?url=' + url + '"></iframe>');
</script>
Then, find yourself a javascript url parsing function that parses the url string to get the url variable you are after, in this case it's "url".
I found a great url string parser here: http://www.netlobo.com/url_query_string_javascript.html
If your iframe is from another domain, (cross domain), you will simply need to use this:
var currentUrl = document.referrer;
and - here you've got the main url!
The following line will work: document.location.ancestorOrigins[0]
this one returns the ancestor domain name.
The problem with the PHP $_SERVER['HTTP_REFFERER'] is that it gives the fully qualified page url of the page that brought you to the parent page. That's not the same as the parent page, itself. Worse, sometimes there is no http_referer, because the person typed in the url of the parent page. So, if I get to your parent page from yahoo.com, then yahoo.com becomes the http_referer, not your page.
I couldnt get previous solution to work but I found out that if I set the iframe scr with for example http:otherdomain.com/page.htm?from=thisdomain.com/thisfolder
then I could, in the iframe extract thisdomain.com/thisfolder
by using following javascript:
var myString = document.location.toString();
var mySplitResult = myString.split("=");
fromString = mySplitResult[1];
I've had issues with this. If using a language like php when your page first loads in the iframe grab $_SERVER['HTTP_REFFERER']
and set it to a session variable.
This way when the page loads in the iframe you know the full parent url and query string of the page that loaded it. With cross browser security it's a bit of a headache counting on window.parent anything if you you different domains.
Try it:
document.referrer
When you change you are in a iframe your host is "referrer".
Get All Parent Iframe functions and HTML
var parent = $(window.frameElement).parent();
//alert(parent+"TESTING");
var parentElement=window.frameElement.parentElement.parentElement.parentElement.parentElement;
var Ifram=parentElement.children;
var GetUframClass=Ifram[9].ownerDocument.activeElement.className;
var Decision_URLLl=parentElement.ownerDocument.activeElement.contentDocument.URL;
This worked for me to access the iframe src url.
window.document.URL
For pages on the same domain and different subdomain, you can set the document.domain
property via javascript.
Both the parent frame and the iframe need to set their document.domain to something that is common betweeen them.
i.e.
www.foo.mydomain.com
and api.foo.mydomain.com
could each use either foo.mydomain.com
or just mydomain.com
and be compatible (no, you can't set them both to com
, for security reasons...)
also, note that document.domain is a one way street. Consider running the following three statements in order:
// assume we're starting at www.foo.mydomain.com
document.domain = "foo.mydomain.com" // works
document.domain = "mydomain.com" // works
document.domain = "foo.mydomain.com" // throws a security exception
Modern browsers can also use window.postMessage to talk across origins, but it won't work in IE6. https://developer.mozilla.org/en/DOM/window.postMessage
there is a cross browser script for get parent origin:
private getParentOrigin() {
const locationAreDisctint = (window.location !== window.parent.location);
const parentOrigin = ((locationAreDisctint ? document.referrer : document.location) || "").toString();
if (parentOrigin) {
return new URL(parentOrigin).origin;
}
const currentLocation = document.location;
if (currentLocation.ancestorOrigins && currentLocation.ancestorOrigins.length) {
return currentLocation.ancestorOrigins[0];
}
return "";
}
This code, should work on Chrome and Firefox.
var url = (window.location != window.parent.location) ? document.referrer: document.location;
I found that the above example suggested previously worked when the script was being executed in an iframe however it did not retrieve the url when the script was executed outside of an iframe, a slight adjustment was required:
var url = (window.location != window.parent.location) ? document.referrer: document.location.href;
Yes, accessing parent page's URL is not allowed if the iframe and the main page are not in the same (sub)domain. However, if you just need the URL of the main page (i.e. the browser URL), you can try this:
var url = (window.location != window.parent.location)
? document.referrer
: document.location.href;
Note:
window.parent.location
is allowed; it avoids the security error in the OP, which is caused by accessing the href
property: window.parent.location.href
causes "Blocked a frame with origin..."
document.referrer
refers to "the URI of the page that linked to this page." This may not return the containing document if some other source is what determined the iframe
location, for example:
document.referrer
will be Domain 3, not the containing Domain 1document.location
refers to "a Location object, which contains information about the URL of the document"; presumably the current document, that is, the iframe currently open. When window.location === window.parent.location
, then the iframe's href
is the same as the containing parent's href
.
I know his is super old but it blows my mind no one recommended just passing cookies from one domain to the other. As you are using subdomains you can share cookies from a base domain to all subdomains just by setting cookies to the url .basedomain.com
Then you can share whatever data you need through the cookies.
Source: Stackoverflow.com