Cross-origin exception accessing iframe on same domain
1,183 views
Skip to first unread message
Julien Tourteau
May 26, 2021, 10:56:27 AM5/26/21
to Chromium Extensions
I'm currently developping a chrome extension based on manifest v3.
I'm trying to access a table from a content_script.
The table is located into an iframe inside another iframe.
The page is structured as follow
--------------------------------------------------------------------------------------------------------------------------------------
<iframe id="iframe_centrale" src="/[...]">
[...]
<iframe id="iframe" src="/[...]">
[...]
<table></table>
[...]
</iframe>
[...]
</iframe>
--------------------------------------------------------------------------------------------------------------------------------------
I'm accessing the table as follow
--------------------------------------------------------------------------------------------------------------------------------------
var tableElement = null;
var iframe = null;
iframe = document.getElementById('iframe_centrale');
if(null != iframe)
{
iframe = iframe.contentWindow.document.getElementById("iframe");
if(null != iframe)
{
tableElement = iframe.contentWindow.document.evaluate("//table", iframe.contentDocument, null, XPathResult.FIRST_ORDERED_NODE_TYPE, null).singleNodeValue;
if((null != tableElement)
{
// Read table
}
}
}
--------------------------------------------------------------------------------------------------------------------------------------
When I'm trying to access the second iframe I face the following error
--------------------------------------------------------------------------------------------------------------------------------------
Uncaught SecurityError: Blocked a frame with origin "https://subdomain.domain.fr" from accessing a frame with origin "https://subdomain.domain.fr". The frame requesting access set "document.domain" to "domain.fr", but the frame being accessed did not. Both must set "document.domain" to the same value to allow access
--------------------------------------------------------------------------------------------------------------------------------------
What I don't understand is why I'm having this exception when the first iframe URL is in the same domain than the first one.
I also tried to workaround this exception by retrieving the iframe id using 'chrome.webNavigation.getAllFrames()' and injecting a script into it using 'chrome.tabs.executeScript()'
However the second iframe is not detected since it's itself into an iframe.
Does anybody knows why I'm facing a cross-origin exeception ?
Does anybody knows how I could retrieve the second iframe id to inject a script ?
Thanks in advance for your help.
PhistucK
May 26, 2021, 11:51:04 AM5/26/21
to Julien Tourteau, Chromium Extensions
The message says so, the page set document.domain, which effectively changes the security origin of that page.
For more details -
☆PhistucK
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/9ebc0fc6-fb3e-44d9-b63e-714fa86c4945n%40chromium.org.
Julien Tourteau
May 27, 2021, 3:41:35 AM5/27/21
to Chromium Extensions, PhistucK, Chromium Extensions, Julien Tourteau
I checked the iframe.contentWindow.document.domain from the extension code and what is happening is that both iframes initially have domain set to domain.fr but at this moment the table is not contained yet inside the second iframe.
At a moment, the second iframe domain changes to subdomain.domain.fr and I have the exception raised.
I also tried to catch the exception so I can change the first iframe domain to subdomain.domain.fr before reaccessing the second iframe as follow
--------------------------------------------------------------------------------------------------------------------------------------
try
{
console.log("### IFRAME 1 : "+iframe1.contentWindow.document.domain);
console.log("### IFRAME 2 : "+iframe2.contentWindow.document.domain);
}
catch
{
iframe2 = iframe1.contentWindow.document.getElementById("iframe");
console.log("### IFRAME 2 : "+iframe2.contentWindow.document.domain);
}
--------------------------------------------------------------------------------------------------------------------------------------
However I still have the exception raised on the last line ince the domain has changed.
What I think is weird is that I reproduced the exact same code on Firefox and it works well.
Does anybody knows how I could workaround this issue ?
Is that possible to access the second iframe content if I also change the first iframe domain ?
Does anybody know why it works on Firefox but not on Chrome ?
guest271314
May 27, 2021, 10:16:12 AM5/27/21
to Chromium Extensions, tourtea...@gmail.com, PhistucK, Chromium Extensions
Do you have control over the documents in the <iframe> elements?
Julien Tourteau
May 27, 2021, 1:07:21 PM5/27/21
to Chromium Extensions, guest...@gmail.com, Julien Tourteau, PhistucK, Chromium Extensions
From Firefox I have control over the both iframe.
From Chrome I have control only on the first one.
I when further into iframe behaviour analysis using Firefox (since I can access second iframe's content).
I set a mutation observer to print both 'domain' and 'href' for base document and iframes
I have the following result
--------------------------------------------------------------------------------------------------------------------------------------
#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
TypeError: iframe2 is null
[...]
#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
### IFRAME 2 : domain.fr / about:blank
[...]
#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
### IFRAME 2 : subdomain.domain.fr / https://subdomain.domain.fr/path3
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
TypeError: iframe2 is null
[...]
#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
### IFRAME 2 : domain.fr / about:blank
[...]
#############################################################
### BASE PAGE : domain.fr / https://subdomain.domain.fr/path1
### IFRAME 1 : domain.fr / https://subdomain.domain.fr/path2
### IFRAME 2 : subdomain.domain.fr / https://subdomain.domain.fr/path3
--------------------------------------------------------------------------------------------------------------------------------------
So it seems that the iframe updates its domain field when it gets its URL.
That explains why I have the exception since I'm trying to access an iframe having 'subdomain.domain.fr' from an iframe having 'domain.fr'
Still it doesn't explains why I can access the iframe from Firefox but not from Chrome.
I also tried to rewrite the first iframe's domain to 'subdomain.domain.fr' before querying the second iframe but I still have the issue
guest271314
May 27, 2021, 1:11:52 PM5/27/21
to Chromium Extensions, tourtea...@gmail.com, guest271314, PhistucK, Chromium Extensions
What I mean by "control" is are you the author of the web pages at each <iframe>?
If so you can use messaging to communicate between <iframe>'s and parent, potentially avoiding the need to use an extension at all.
Julien Tourteau
May 27, 2021, 1:24:05 PM5/27/21
to guest271314, Chromium Extensions, PhistucK
No unfortunately I'm not, it's a third-party website.
Reply all
Reply to author
Forward
0 new messages