I am trying to display a web site in an iframe
. The iframe
url points to an internally hosted web server in my corporation, although I have no control over it whatsoever and is 'cross site' as it has a different subdomain than my site. Further, the code is maintained by a 3rd party company and it takes A LONG TIME to get changes to this... banks and the like!
The creators of the content have stated that there is no intention to prevent displaying/running the web site in an iframe
.
We are to be using Cisco Finesse to "bring together" various 3rd party and locally developed web applications. (Background, Finesse uses apache shindig to host 'gadgets'). At a technical level, I want to have a single url as a gadget displayed in Finesse, which ultimately uses an iframe
to display the 3rd party page.
The problem so far, is that there is a piece of code on the 3rd party page that tries to access window.top.location
and of course a security exception is thrown. Here is the code:
function someFunc() {
var toppage = window.top;
if (toppage.location.pathname.indexOf("default") == -1) {
return toppage;
}
return toppage;
}
The page url is of the form, http://domain/default.aspx - just a standard aspx default page and honestly I can't figure out why this check is being performed in this manner.
Having debugged a little I find that the code is used in several locations but for no apparent reason. ie. doesn't really need the top page and looks to me like this is some attempt to prevent "something", but I'm not sure what and neither are the current maintainers of the site.
I have tried the same code in a small test site just to see the behaviour. If I host a site with "default" in the pathname (not cross site) then the function behaves 'as expected' (again, I'm not sure what the expectation is) and the function returns the 'toppage' with no problems from within a child iframe
(remember not cross site).
I have looked a lot around the net and stackoverflow, and so far anything close requires some changes to the 3rd party site (which I cannot), but also I haven't found a case that is exactly the same. I am at this point quite sure there is nothing I can do, but here to ask the gurus to get some second opinions.
Basically I want to know if there is anything I can do, even a hack, to allow the iframe
access to the window.top
?
You cannot have access to the parent of the iframe
when it is on a different domain name.
Although you can solve this in another way: http://madskristensen.net/post/iframe-cross-domain-javascript-calls
Let’s say that:
To make this work, you need to create a sub domain called e.g. siteb.example.com. Then point the new sub domain to the IP address of foobar.com. Now sites A and B are located under example.com.
Then add this line of JavaScript to sites A and B:
document.domain = 'example.com'
This tells the browser that sites A and B belong to the app located at example.com and are therefore allowed to communicate using JavaScript. It could be by calling window.parent.doSomething();
Now the Same Origin Policy principle has been enabled on both sites.