iFrames and Same Origin Policy

Hey guys,

It’s been bugging me a lot lately that I cannot grab the current href location URL of an iframe on a site, with different domains. I understand how SOP is great and secure, but it’s still a pain for those who are not trying to cause harm. What is the maximum harm of allowing just the ability to read the current location URL of an iFrame? I am not talking src attribute.

Is there a site that I can see every single thing excluded in iFrames due to Same Origin Policy? as well as things that are permitted?

You can see what is appowed at this iframe doicumentation page, which also links through to the [url=“https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript”]Same origin policy for JavaScript documentation page.

So basically there is no way to ever get the URL of an external site in an iFrame, UNLESS you collaborate with the developer of that external site? (like the postMessage workaround)?

I prefer to think of it as cooperation.