A blend of programming and seo

Using iframes for cross-site scripting

by Roy (rawseo)

Here is an easy way to communicate different domains using frames:

Step 1: Create a file called iframe_remote.htm with the following:

<html>
    <script type="text/javascript">
      window.name="my test data";
    </script>
  </html>

The above code contains the data that you want to return to your calling script. I used a simple example with static data. Instead, a PHP (or any other programming language) script could be used to dynamically return data depending on the parameters (this data could also be JSON or XML).

Step 2: create a file called iframe.htm with the following:

<html>
<head>
<script language="javascript">
function loadFrame()
{
    var crossData = "";
    try
    {
    crossData = document.getElementById('cframe').contentWindow.name;
    alert("data: "+crossData);
    } catch(err) {}
}

function setFrame()
{
    document.getElementById('cframe').src = 'iframe_dummy.htm';
}
</script>
</head>
<body>
<iframe id="cframe" name="test" src="http://yourdomain.com/iframe_remote.htm" onLoad="loadFrame()" style="display:none"></iframe>
<input type="button" value="Get Remote data" onclick="setFrame()">
</body>
</html>

Set the iframe src to the full path of iframe_remote.htm. This file should also be placed on the domain that is retrieving the remote data. You should also create a file on the same server as iframe.htm called iframe_dummy.htm.

This technique currently works in all major browsers.

How it works

Under normal circumstances, you can’t access remote data or properties in a frame across different domains due to security measures in place by your browser. The iframe name is the key to retrieving cross-domain data. The above code first loads an iframe with javascript that sets the iframe’s window.name property. After this, the iframe src is dynamically changed to a local file, the windows.name property is not changed, and your browser sees this as a file on the same domain.

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
  • Reddit
  • Twitter
  • HackerNews
  • StumbleUpon
  • Technorati

4 comments

1 Information About Movies { 04.21.09 at 8:14 am }

[...] Using iframes for cross-site scripting | A blend of programming … [...]

2 torvego { 04.22.09 at 6:42 am }

You can’t obtain data from different domain that JS comes from, right? So why not putting script on yourdomain.com and ask for resource directly? Have you tried?

3 Manuel { 04.22.09 at 8:03 am }

Another tecnique, useful for bookmarklet for example, is to inject in the host page a form with target attribute pointing to the iframe’s id. Than you can post data to the iframe that can be in another domain. Unfortunately you can do this only in one direction.

4 ??????? » [Web] ???? { 04.23.09 at 9:36 pm }

[...] Using iframes for cross-site scripting [...]

Leave a Comment