编辑内部 iframe 内的跨域 iframe 的 css [英] Edit the css of a cross domain iframe that is inside an internal iframe
问题描述
我检查了此处提出的有关编辑 iframe 的 CSS 的(许多)问题,并且我能够编辑来自我们自己网站的其他 iframe,但这完全不同.
I checked the (many) questions asked here about editing the CSS of an iframe, and I was able to edit other iframes that come from our own site, but this is quite different.
我有一个 iframe(托管在同一站点上),它创建一些 HTML 元素,然后调用跨域 iframe 来显示游戏(在其中).
I have an iframe (hosted on the same site) that creates some HTML elements and then calls a cross domain iframe to display a game (inside it).
到目前为止,我已经能够使用 jquery .contents() 和 .find() 函数自由编辑内部 iframe:
So far I have been able to freely edit the internal iframes by using jquery .contents() and .find() function:
var first-iframe = $('#iframeid').contents();
first-frame.find('.to-modify').css('blabla','10);
contents 允许我 .find() iframe 内的任何元素并修改 css.当我有第二个跨域 iframe 时,问题就来了.
The contents allows me to .find() any element inside the iframe and modify the css. The problem comes when I have the second, cross domain iframe.
第一个 .contents() 似乎没有让我访问第二个 iframe,我不确定进行排队调用是否有效.我试过这样的事情:
The first .contents() doesn't seem to give me access to the second iframe, and I'm unsure if doing a queued call works. I tried something like this:
first-iframe.find('#second-Iframe').contents();
但这似乎也不起作用.我阅读了许多其他编辑 css 的选项,但其中大多数不适用于跨域 iframe.
But that doesn't seem to work either. I read many other options to edit css, but most of them don't work with cross domain iframes.
很抱歉没有提供任何代码,它包含一些合理的逻辑.我希望我把我的问题说清楚了.
Sorry for not providing any code, it contains some sensible logic. I hope I made my issue clear enough.
推荐答案
跨域 IFrame 没有办法编辑,因为它会打开各种安全漏洞.
There is no way to edit a Cross Domain IFrame, because it would open all kinds of security loopholes.
想象一下,我向您的银行打开了一个隐藏的跨域 IFrame 并且可以对其进行流氓 JS 操作?
Imagine for a second I open a hidden Cross Domain IFrame to your bank and can run rogue JS manipulations on it?
然而,您可以操作同一级别内的域,或域链中更低级别的域,但那是因为域级别的内部信任",例如:example.com 可以编辑 bar.example.com
You can however, manipulate domains within the same level, or lower in your domain chain, but thats because of "the internal trust" into the domain level, e.g: example.com can edit bar.example.com
如果有办法,那就是CVE,应该报告修复.
If there is a way, it's a CVE, and should be reported to be fixed.
这篇关于编辑内部 iframe 内的跨域 iframe 的 css的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
