I'm playing around with some stuff and trying to discern if when using a cross-domain iframe(post_message) if I can read the elements: div-tag p-tag etc of site within the iframe? I haven't seen any other posts on this, so hopefully someone can provide some insight.
postMessage allows you to communicate with a cooperating iframe. To use it, one window must send a message with postMessage and the other window must have an event listener listening for the message and it must process that message and do whatever you want done with it.
So, it is possible to use postMessage to retrieve content from an iframe, even a cross-origin iframe, but it requires that there be code in the iframe that can receive the message, understand what is being asked of it and do postMessage back to the original frame with the information that was requested.
So, this means that if you control both the window and iframe javascript, you can do what you ask, but if you don't control one of the two and they don't already have the right javascript code in them to fetch the data you want, then you can't get the job done with postMessage. All it does is deliver messages. The code to process those messages must be put there by the owner of that particular web page.
Related
I have an iframe that displays live prices of stock market. My problem is that when i load my page, this iframe shows a pop up window for cookies policy.
Is there anyway to avoid this window completely (or select "accept" in background) so that this iframe will directly show stock prices?
I found some information about sandbox option but could not go deeper with that
My website is the following and the iframe is on the down-left
https://grbusinessforum.com/
("Αποδέχομαι" is the button of "Accept cookies")
Thanks
Sandboxing the iframe can prevent all JS from running inside it, but that would probably break the page in other ways.
There's nothing you can do from outside the frame.
You'd need to change the page inside the frame instead. You could add a query string to the URL that it uses to disable the tracking cookies by default, or use postMessage to send a message into the frame that code there uses to remove the cookie prompt.
Of course, this will need the cooperation of the people who control the site you are displaying in the frame … but if they are happy for you to show their content on your page that shouldn't be too much of a problem, should it?
Before I start describing my problem I just want to give a heads-up that all the pages, iFrames etc. are hosted locally on my PC. And that I have used page.setBypassCSP(true) to temporarily disable any origin based restrictions.
Here we go, I have a webpage which embeds an iFrame and that iFrame may embed another one (and the list can go on...). Some of the deeper iFrames may be appended to the body of it's parent via Javascript e.g. document.body.appendChild inside a setTimeout(..., 3000) which kind of simulates a dynamic iframe load. I want to know what is the best way to evaluate a script source on all of these iFrames. I tried using page.on('framenavigated', ...) but this only works for the page's immediate child frame(s).
I tried recursively iterating through all the frames in the page using page.frames() but that only works for iFrames that are available at the time when the DOMContentLoaded event is fired.
I'm looking for a way to listen to all the framenavigated events fired by all the nested iFrames even for the ones that loaded dynamically at any point of time, after the page is loaded. Any pointers would be greatly appreciated.
UPDATE:
I have tried listening to events using page.on('frameattached', ...) and page.on('framedetached', ...) but that also doesn't let me list all iFrames.
Basically, I want to get all the opened tabs of the browser window, from within a tab, more specifically, in content script.
I tried chrome.tabs.query, it works in background script, but doesn't work in content script.
So my questions are:
Is there a way to do such work? Maybe an API that I wasn't aware of?
Or, can I dispatch an event from content script, then capture the event in background script, and vice versa?
Or, is it just impossible?
According to https://developer.chrome.com/extensions/content_scripts , a content script cannot access chrome.* APIs, except a few allowed ones but chrome.tabs is not among them
Exchanging messages with the parent script is possible, though, so this might be the way to do it. See https://developer.chrome.com/extensions/messaging
I have come across several posts about how to handle Javascript being disabled while/before the page is being loaded. However, is there any way to detect Javascript being disabled by the user after the page has loaded in order to hide content at the last minute?
Use a dead man switch on setInterval. If it doesn't trip the trigger, then you need to hide that content before the no javascript gremlins destroys it. How can you hide it without javascript? Have a competitive process going between CSS animations, and Javascript. Such that if javascript is not present the CSS animations (to hide the content), win out. And lo, the content waseth hiddeneth.
Attempt to an send an HTTP request to your server? If that ping doesn't arrive, javascript could be disabled.
Use a noscript tag to inform the user of various things in the event that javascript is disabled, such as the fact that the user has javascript disabled
Put a form in a noscript tag to ask a user to tell you that javascript is disabled, or otherwise to send feedback about their browsing experience to your site without javascript
Check if the UserAgent header contains Lynx?
You can find out if a particular user had disabled JS on his browser by using cookies. You can assume that your JS sets a cookie with some key-value pair like js-enabled=true
When the page gets loaded next time, if cookie does not contain js-enabled key then you know that JS is disabled on the page and server returns the content accordingly.
Now, your question:
After the page has loaded in order to hide content at the last minute?
Say even if you know JS is disabled on the browser, how will you hide the content. You again need JS to be executed to manipulate the DOM which is not possible I think when JS is disabled. So one of the solutions can be when your server knows that JS is disabled then return the page which does not have that content which you want to hide
There is a way to show a warning when javascript is disabled before loading: Write a div element with a warning that jscript is disabled and hide it with jscript while loading the webpage. It is not possible to show a warning when javascript is disabled, because javascript is needed to change any part of a webpage.
if your app can stand the hit of doing log checks - I would, say every minute or so, use ajax to call
the backend - which will then log a time. if the backend checks and the last log time is substantially off - then shut down the app.
I have two iframes from the same domain, which are hosted in document from another domain. The problem is these iframes cannot communicate with each other through postMessage. I cant even access the DOM of iframe1 from iframe2 even though they belong to same domain. Is there any solution ????
I used following options to refer the required iframe.
parent.frame[x]
I tried following lines to access DOM of iframes
parent.frame[x].contentWindow returns null,
parent.frame[x].document.getElementsByTagName("body") returns null
Update:
I guess my question is not clear enough. There is no problem with postMessage api, the actual problem is browser creates a custom frameset around the iframe document, in my case!
So parent.frame[x] won't point to the iframe window, instead it points to the custom frameset inside the iframe window.
Following question explains the problem well.
Prevent browser from loading a custom frameset in an iframe's document
If you want cross-window same-domain communication, you can set it up via localStorage. When you add an item to localStorage, you get window "storage" event in all other windows / iframes / tabs of the same domain.
So, you basically localStorage.setItem('name', 'value') in one iframe while you listen to window.addEventListener('storage', (event) => {/* handle message */}) and you get the message.
Take a look at the following description of the postMessage function and how it could be used. So in frame1 you call the postMessage method and in frame2 you subscribe for notifications. Obviously the browser you are using must support this API.
There's also a very nice jQuery plugin which wraps this API and simplifies its usage. It also works in browsers that do not support the postMessage method by using the hash portion of the url.