I am using NODE JS module with which I am creating a HTTP server. Server's response is a page containing JavaScript which embed a webpage in . Here is response code:
<html>
<head>
<script type='text/javascript'>
function test() {
document.body.innerHTML='<iframe id="ifool" src="URL" sandbox="allow-same-origin allow-forms allow-scripts"> </iframe>';
var c;
window.setInterval(function(){
c=document.getElementById("ifool").contentWindow.location.href;
window.history.pushState(0,0,c);
},100);
</script>
</head>
<body onload= "test()">
</body>
</html>
I am using Firebug with FF.I am getting following error:
Error: Permission denied to access property 'href'
c=document.getElementById("ifool").contentWindow.location.href;
If the URL you are trying to access in your iframe is outside of your current page domain then you will not be able to do it. Modern browsers implement a Same Origin Policy which decides the permissions of JavaScripts when running cross site scripting.
When a parent and child come from the same domain, they have access to each other; the child can access and operate properties and methods of the parent, and vice-versa. However, when they don't, attempting such access so will trigger script errors indicating Permission denied.
If I try running similar scripts with my page and iframe source pointing to pages hosted by node server, I get no permission errors.
Sources: