3

I've come across a challenging iFrame detection problem in a "friendly iframe" environment. I need to identify from window.top which foreign domain iframe element in window.top.document loads inside of itself yet another iframe with the same domain, protocol, and port as window.top.

So here's the central question: On Page A, how can you determine in JavaScript that iFrame B contains iFrame C? Again, Page A and iFrame C are of the same domain, protocol and port and can communicate with each other. iFrame B is on a different domain. I want to find the DOMElement that is associated with iFrame C on Page A.

Possible things that have been tried that have not worked:

  • document.referrer matching. Page A matches the src attribute of all iframes on Page A to the document.referrer property in iFrame C. Unfortunately, this doesn't work if multiple iframes on Page A load content with the same src on iframe B. It also doesn't work if the src attribute of iframe B is about:blank or javascript:something.
  • window.location.hash communication by looking at the src attributes of iframes. Page A can't get the window.location.hash of iFrame B, so no luck there.
  • This has to work in IE 6 and 7, so there is no window.postMessage support. Sorry.

Additional information:

This is a configuration called "Friendly iFrames". Friendly iFrames (FIF) are common in the advertising industry. Here's how they work:

A page on publisher site, say Page A foo.com, injects iframe B from some-random-ad-server.com. Then inside of iframe B on some-random-ad-server.com, another iframe C is loaded from foo.com. So:

  • I have access (i.e. DOM manipulation) to Page A from iFrame C. Page A has access to iFrame C.
  • Nothing on the Page A or iFrame C has access to iFrame B.
Improve this question
1
  • Hi. I know this is very old, but i am working in something with Chrome 67, i i would like to know if you get any workarround (even an exploit of some kind) to archive this. Thank you.
    – Ansenagy
    Sep 9, 2019 at 0:49

1 Answer 1

Reset to default
0

I realize this is old, but I was curious about client side solutions and ran across this post. I'm using server-side to handle this, why not use server side as last resort? Granted referrer is sketchy on server side, however when dealing with iframed pages, the referrer is pretty reliable and can be compared against the host of the local application and the referring application.

Here is how I've done it in ASP.NET/C# (same thing can be done in PHP, etc)

// set referrer
if (Request.UrlReferrer != null && Request.Url.Host != Request.UrlReferrer.Host)
{
    Session["Referrer"] = Request.UrlReferrer.OriginalString;
}
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.