2

I've heard that it's possible to poll the url of an iframe for a hash to do something with it from the parent. What i need to do is set the height of a cross domain iframe dynamically. So whenever the height changes, the iframe sets its url to someurl#height. Now i need to access the hash (#height) from the parent, but it still won't let me. Using a proxy (iframe inside an iframe) is not an option in this case. Maybe i'm doing something wrong, how would you poll the url of an iframe?

iframe.contentWindow.location.href - security alert iframe.src - returns the url WITHOUT the hash

Marius
  • 3,726
  • 5
  • 33
  • 50
  • Can you use a cross-domain policy file, or do you not know what domain the iframe is going to access? – Robusto Feb 19 '10 at 13:30
  • This might very well do the trick [http://stackoverflow.com/questions/5606920/cross-domain-iframe-resizer/6940531#6940531][1]. [1]: http://stackoverflow.com/questions/5606920/cross-domain-iframe-resizer/6940531#6940531 – thomax Aug 04 '11 at 11:26

1 Answers1

0

That's not usually the way it's done. What should be done, is the iframe calls window.parent.location = "#<iframe height>";, setting the parent to have the hash value of the iframe height.

The parent page uses either the onhashchange event (IE, Firefox) to capture the change and then set the iframe's height or a timer that checks the hash value every 100ms or so. This is how Google CSE does it, at least.

See also my answer to a similar question:

Handle URL anchor change event in js

Community
  • 1
  • 1
Andy E
  • 311,406
  • 78
  • 462
  • 440
  • But will the iframe be able to access window.parent if the parent is on another domain? Isn't that the same security issue? – Marius Feb 19 '10 at 13:42
  • I've just checked, your solution does work, but ... how can you be able to do that? Why is this not a security violation? – Marius Feb 19 '10 at 13:49
  • @Marius: You're just changing the parent page location, you're not accessing any data or anything, it's not really a security issue. It could be considered a usability issue (changing the parent page without consent, etc), but in fact the reason it works is to avoid security issues; this is how sites get out of being framed if they don't want to be framed - they just set `top.location = window.location;`. – Andy E Feb 19 '10 at 13:56
  • Some properties aren't subject to the cross-domain policy. `location` is one of them. – Andy E Feb 19 '10 at 13:58
  • Thanks. Unfortunately, this solution only works in Opera. Firefox and IE go crazy! IE redirects to the iframe's url and firefox ... wow i'm not even sure what it does ;] How could i solve this stuff ? :( – Marius Feb 19 '10 at 14:43
  • @Marius: I suspect there's a problem with your code (or my code, if you're using it ;-)). Post what you've got so far and I'll see if I can take a look at it. – Andy E Feb 19 '10 at 14:46
  • Well, i'm using your code in the iframe the way you posted it: window.parent.location = '#' + someheight; But for some reason, ie adds this hash to the end of iframe's url and redirects the parent window there and firefox does something non-logical as well. Opera, however, just adds the hash to the parent's url and i can access it from there. There's really no more relevant code to paste here. I've tried to simply assign to window.parent.location.hash, but it can't be accessible due to security issues. Only window.parent.location can be accessed and only in write-only mode. – Marius Feb 19 '10 at 14:53
  • @Marius: I see. In that case, you could pass the parent url to the iframe url as part of the query, then set the *full* location eg `window.location = "" + iframeHeight;` – Andy E Feb 19 '10 at 15:13
  • Andy, i can't do that either, because i would be passing the url of the iframe with a technique like that. And we are changing the url or the parent, not the iframe. So if i get the host from php, i will be getting the host of my iframe and it can be embedded in a way different host. – Marius Feb 22 '10 at 07:38
  • Oh, i see what you mean. I'll try to do something like that. – Marius Feb 22 '10 at 08:53