I'm trying to find out if a script running in a wrapper page can access and use certain JavaScript object types defined on another page which is loaded in an iframe. And no, I'm not trying to set up a phishing site :)
All global var declared variables as well as functions are added as properties on the other page's window object. These I can access perfectly fine, assuming I've set up the security correctly (like cross site scripting etc.). This way I can also use these from within the wrapping page by using e.g.
// other page's javascript:
function MyFunction() {return 42}
// wrapper page's javascript:
let iframe = document.getElementsById('frameID') // or such
window.MyFunction = iframe.contentWindow['MyFunction']
console.log(MyFunction()) // should say 42
But let and const declared variables, as well as class objects do not partake in this behavior. They are only stored in the other page's global declarative environment record, and not in its global object environment record.
Is there a way that I can get access to the object types that are only stored in the other page's declarative environment record? It wouldn't surprise me if it's browser dependent, or if its not possible at all due to security concerns or 'who needs that' or such...
For a little background: I'm the creator of Jazillionth, and I got some feedback from a user that tried to test a class object, which my script failed to access. He could store the class in a regular var like var MyClass = class {} as a workaround, but that sort of defeats my purpose of Jazillionth (of not being obtrusive wrt your pages under test)...
You'll need to resort to eval (or similar) to access those variables that are not properties of the global object:
const iframeMyFunction = iframe.contentWindow.eval('MyFunction')