0

If I have a domain arcmarks.com and I have an iframe that displays a published google doc, do I have access to this property?

According to:

Resizing an iframe based on content

I do not have access as this is considered to be cross-domain and I can't perform the hackery b.c. I don't have access to google servers.

Howerver, using FF debugger box model, I can clearly see what this value is. 1013px in this case.

I tried the solution for same origin content.

this.E.community_frame.style.height = this.E.community_frame.contentWindow.document.body.scrollHeight + 'px';

but it did not work.

Actual test site is:

http://www.arcmarks.com/community/

Community
  • 1
  • 1

1 Answers1

0

I do not have access as this is considered to be cross-domain

Then you can't do it.

However, using FF debugger box model, I can clearly see what this value is.

Most cross domain security features are designed to stop Mallory's website from telling Alice's browser to get information from Bob's website using Alice's credentials.

Since Alice is in control of the debugger in her browser, there isn't a security concern. Mallory can't use it to get access to secrets shared by Alice and Bob.

Quentin
  • 800,325
  • 104
  • 1,079
  • 1,205
  • The browser has no way of telling if Bob's site contains personal information or not (unless Bob uses CORS to explicitly say that other sites may access data on it). It acts as if it does because it might. – Quentin Feb 02 '14 at 19:59
  • Cookies and webStorage are also siloed by origin. Mallory's JavaScript can only access the webStorage and cookies that are set on Alice's browser by Mallory's website. They can't touch those that are set by Bob's website. – Quentin Feb 02 '14 at 20:40