如何从iframe获取当前页面加载的url [英] How to get current page loaded url from iframe

问题描述

我使用iframe将faroo.com作为框架中的默认src加载，当我搜索并使用faroo移动到其他网页时。但仍然在iframe src中显示faroo.com仅我想要捕获具有加载在iframe中

I'm using iframe to load faroo.com as default src in frame when i search and move to other webpage using faroo.But still in the iframe src its display faroo.com only i wanted to capture url of page that has loaded in iframe

<!DOCTYPE html>
<html>
<head>
    <script src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.11.1.min.js"></script>
    <script type="text/javascript">
    $(function(){
        $('#frameid').load(function(){
            var z=$('#frameid').attr('src');
            console.log('hi '+z);
        });

        $('#clicked').on('click', function(){
            $('#frameid').attr('src', 'http://www.faroo.com/');    
        });
    });

</script>

</head>
<body>

<iframe width="100%" height="500px" id="frameid" src="" name="iframe_a" ></iframe>

<p><input type="button" value="click me!" id="clicked"></p>

</body>
</html>

console.log中的o / p始终是faroo.com，而不是当前加载的网站

The o/p at console.log is always faroo.com not the current website that has loaded

推荐答案

为了安全起见，只要iframe的内容和引用的javascript可以检索URL，托管在同一个域中。

For a matter of security you are allowed to retrieve the URL as long as the contents of the iframe, and the referencing javascript, are hosted in the same domain.

如果是这种情况，您可以这样做：

Should it be the case, you can do something like:

document.getElementById("frameid").contentWindow.location.href

如果两个域不同那么您将拥有适用于跨网站参考脚本域的所有限制条件。示例：

If the two domains are different then you'll have all the restrictions that apply to the cross-site reference scripting domain. Example:

document.getElementById("frameid").src = 'http://www.google.com/';
alert(document.getElementById("frameid").documentWindow.location.href);

Error: Permission denied to get property Location.href

当然除非您在浏览器中发现了一些巨大的安全漏洞），您只需无法在父文档中使用 javascript 来实现所需内容。让我们看一个简单的例子为什么。如果浏览器允许你需要，你可以很容易地：

For sure (except if you find some huge security flaw in your browser) you simply cannot achieve what you need using javascript in the parent document. Let's see with a simple example why. If the browser allowed what you need, you could easily:

1. 创建一个带有隐藏iframe的页面（例如 http://malicous.com/dont-trust ）


2. 在iframe中，用某个网站的登录过程打开一个子页面（例如 http://insecure-web-site.com/redirectlogin ）


3. 如果儿童的Cookie存在，并且在某些情况下，框架将重定向到真实的网站，继续用户登录。


4. 现在，您可以从父页面读取URL中包含的所有登录过程中的敏感信息，例如访问令牌，会话ID ...


5. 此时，受害者网站及其用户面临着一系列可能的安全威胁...

1. Create a page, with a hidden iframe (e.g. http://malicous.com/dont-trust)
2. In that iframe, open a child page with the login process of some website (e.g. http://insecure-web-site.com/redirectlogin)
3. If cookies for child are present and under certain circumstances, the page inside the frame will redirect to the real website, proceeding with user login.
4. From the parent page now you will be able to read all the sensitive informations gone through the login process contained inside the URL, e.g. access tokens, session IDs, ...
5. At this point the victim website and its users are in front of a wide new set of possible security threats...

这篇关于如何从iframe获取当前页面加载的url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！