iFrames and Same Origin Policy

svcghost · February 28, 2011, 8:56pm

Hey guys,

It’s been bugging me a lot lately that I cannot grab the current href location URL of an iframe on a site, with different domains. I understand how SOP is great and secure, but it’s still a pain for those who are not trying to cause harm. What is the maximum harm of allowing just the ability to read the current location URL of an iFrame? I am not talking src attribute.

Is there a site that I can see every single thing excluded in iFrames due to Same Origin Policy? as well as things that are permitted?

Paul_Wilkins · March 1, 2011, 12:50am

You can see what is appowed at this iframe doicumentation page, which also links through to the [url=“https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript”]Same origin policy for JavaScript documentation page.

svcghost · March 1, 2011, 1:02am

So basically there is no way to ever get the URL of an external site in an iFrame, UNLESS you collaborate with the developer of that external site? (like the postMessage workaround)?

Paul_Wilkins · March 1, 2011, 1:13am

I prefer to think of it as cooperation.