PDA

View Full Version : Disable JavaScript inside an iframe



laserdude
12-16-2008, 04:38 PM
is it possible to disable JavaScript inside an iframe ?

I'm trying to load a page into an iframe, but since that page has a function to automatically redirect outside of any frame, I need to disable JavaScript.

Or some work around would be helpful.

Snookerman
12-16-2008, 04:56 PM
I've seen this request before and I don't think it's possible, at least nobody has provided a solution.

laserdude
12-16-2008, 05:27 PM
I've seen this request before and I don't think it's possible, at least nobody has provided a solution.

Is there some kind of a anti script that kill scripts ??

jscheuer1
12-16-2008, 05:28 PM
Look at it this way. If you have the right to display that content in your iframe, you either have the power to remove the code that does that yourself, or to direct the person who owns the content to do so. If that's the case, a selective modification of the code visa vis its effect when the top page is from your domain can be arranged. Or it could be removed altogether.

Otherwise, it would be a violation of the rights of the content holder, and therefore prohibited under the terms of use of this forum.

In any case, if you have no control over the code on the external page, there is nothing we can help you with in this matter and, incidentally, no way to do it with javascript.

laserdude
12-16-2008, 05:57 PM
Look at it this way. If you have the right to display that content in your iframe, you either have the power to remove the code that does that yourself, or to direct the person who owns the content to do so. If that's the case, a selective modification of the code visa vis its effect when the top page is from your domain can be arranged. Or it could be removed altogether.

Otherwise, it would be a violation of the rights of the content holder, and therefore prohibited under the terms of use of this forum.

In any case, if you have no control over the code on the external page, there is nothing we can help you with in this matter and, incidentally, no way to do it with javascript.

I already contacted the Group of that website..but they say if they remove that JS for me others may misuse it... And they say there is no way to authenticate if I am using the site in side the frame or some external 3rd party...Is there way that we can send a password to that from my site so that it will run in iframe only from my site. ??

jscheuer1
12-16-2008, 06:06 PM
No password should be required. It depends upon the code that they use. If it only looks to the parent window, they are correct. However, if it looks to the top window, it may be configured to exclude your domain. Either top or parent would be as effective for their basic purposes of frame busting unless they already have nested content in iframes on the page in question. Though even that might still work out.

How about a link to the page on their site, so I can see how it is setup, and what kind of frame busting script they are using?

However, if they are simply unwilling to change their code, even if it wouldn't create any opportunity for abuse, well, you'd still be stuck.

diltony
12-16-2008, 10:31 PM
I already contacted the Group of that website..but they say if they remove that JS for me others may misuse it... And they say there is no way to authenticate if I am using the site in side the frame or some external 3rd party...Is there way that we can send a password to that from my site so that it will run in iframe only from my site. ??

The redirection script does not need to be removed. There is an environment variable called referer which allows you to determine the website that called or loaded your site, and u can authenticate it and allow or reject.....
there are environment variables present that any web server language can use to block or allow sites, i am not even talking about passwords here....

jscheuer1
12-17-2008, 02:32 AM
Referrer is unreliable. The user could have come from anywhere, and the referrer may not always reflect what you might expect it to. The bottom line is that the best javascript method is what I outlined, allowing the particular domain.

But, whatever method is used, as I said:


if they are simply unwilling to change their code, even if it wouldn't create any opportunity for abuse, well, you'd still be stuck.

laserdude
12-17-2008, 01:31 PM
Referrer is unreliable. The user could have come from anywhere, and the referrer may not always reflect what you might expect it to. The bottom line is that the best javascript method is what I outlined, allowing the particular domain.

But, whatever method is used, as I said:


Thanks for all the inputs...the website I am trying to frame is http://haquality.convergys.com/

jscheuer1
12-17-2008, 04:35 PM
OK, they have no nested iframes, so this should be easy. What they are currently using:


<script language="JavaScript"><!--
if (parent != self) top.location.replace(self.location.href);

//--></script>

Which should be:


<script type="text/javascript">
<!--
if (parent != self) top.location.replace(self.location.href);
// -->
</script>

Could be (untested, but it's the basic idea):


<script type="text/javascript">
<!--
if (parent != self && !/^http:\/\/((www\.)|())yourdomain\.com/.test(top.location.href)) top.location.replace(self.location.href);
// -->
</script>

which requires (if I've written it correctly) the top page (if different than their own) to have http://www.yourdomain.com or http://yourdomain.com at the beginning of its address. Pretty fool proof.

In fact, if they had a list of allowed domains, that could be configured as well, using an array of the allowed domains.

laserdude
12-23-2008, 01:09 PM
thanks friend let me try this out...

jscheuer1
12-23-2008, 05:20 PM
Because of your response here, I looked over that code again and saw a potential problem. Since I wrote that, I've found cases where an empty () matches anything, so we should do it (changed section highlighted):


<script type="text/javascript">
<!--
if (parent != self && !/^http:\/((\/www\.)|(\/))yourdomain\.com/.test(top.location.href)) top.location.replace(self.location.href);
// -->
</script>

So instead of:


!/^http:\/\/((www\.)|())

We now have:


!/^http:\/((\/www\.)|(\/))

thus ensuring no empty (), without changing the intended meaning.

jodow
08-26-2010, 04:21 PM
Thanks for this code but where to place this in Iframe ?

If i use Iframe as <iframe src="www.mydomain.com">

Thanks

jscheuer1
08-26-2010, 04:26 PM
In the head of the page at:

www.mydomain.com

jodow
08-26-2010, 04:42 PM
as if i have to go with some page like www.mydomain.com/index3.html then what should i write in code

jscheuer1
08-26-2010, 04:54 PM
Same thing. What you may or may not have figured out here is that you have to have access to edit the page in the iframe. You cannot disable the javascript in the iframe from the top page unless it's on the same domain as the top page anyway, so it's easier to just tailor the code on the page in the iframe to do your bidding.

The script in question here doesn't care what the exact name of the page is, it just tests if the domain name of the top page is the desired one. If so, the page in the iframe remains in the iframe. Otherwise, it will brake out of frames, so someone from another site cannot put it in one of their frames or iframes.