HTTP return code of iframe?

[Tibor Goldschwendt]

Hi Blink Dev!

Is there any way to get the HTTP return code of a cross-domain iframe? FWIW, the hosting page has the chrome:// scheme while the iframe has https:// scheme. From my limited testing I receive the load event in all scenarios but couldn't find a way to query whether the load succeeded. I also tried window.addEventListener('error', ...) and iframe.addEventListener('error', ...) without any luck.

Best regards,

Tibor

[K. Moon]

This would violate the same-origin policy, so I don't think you can do this within Blink, but given this is a chrome: page, maybe you could add some code in the browser to give this information to you.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFgr3n%2B8i%2BNQNSJY0DFab9JrXG0QTq3W473t-beRtPYbLn1XjA%40mail.gmail.com.

[Tibor Goldschwendt]

+Nasko Oskov 

Thanks, Kahmy. Adding custom code in the browser process is another avenue I'm exploring. Generally though, how do pages deal with broken iframes?

[Daniel Cheng]

The iframe element supports "load" and "error event listeners. Is the exact HTTP error needed? Or does the feature just need to know if it succeed or not?

Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFgr3nL-J4A0bQuXnU1Ns-eUYLNqVV65KZLeY3HuiPuBYQQmiQ%40mail.gmail.com.

[Domenic Denicola]

The "error" event does not fire on iframes though, precisely because we don't want to leak information cross-origin.

Pages generally deal with broken iframes, in cases where they need to, by noticing that the iframe has not sent them the message they expect. (Via parent.postMessage() from inside the iframe.) That is, they use an opt-in protocol where the iframed page must affirmatively decide what information to send cross-origin.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAF3XrKpDqd9ixPDOFiOu7NjMpmMm62nD0JxzBxyHfLmTJhr0PA%40mail.gmail.com.

[Tibor Goldschwendt]

We explored postMessages for a bit, too. IIUC, this would only solve the success case properly though. But how do we know the iframe is broken? Not receiving the postMessage could also mean the iframe hasn't completed loading yet.

[Tibor Goldschwendt]

I only need to know if the iframe load failed – either because of a network error or because of an HTTP status code >= 400; the latter being the more prevalent case. I don't need to know why the iframe load failed. In my testing I managed to receive the load event in both error and success cases. I did not receive an error event in any case.

[K. Moon]

There's no generic way to do this, as it would leak information. I don't think this route is worth exploring.

[Daniel Cheng]

Hm, I wasn't careful enough when I checked the spec yesterday, I guess. I notice that <object> seems to fire an error event on HTTP error. Is that not leaky in the same way?

Daniel

[Domenic Denicola]

Yes, we're working to remove that as it is a security issue. See https://github.com/whatwg/html/issues/7327 and https://bugs.chromium.org/p/chromium/issues/detail?id=1260366 .