9

I have to include an external whitelabel site within an iframe on my page. There are numerous pages on the external site and they vary considerably in height.

I need to adjust the height of my iframe to accommodate this.

I can get the height of the first page loaded into the iframe (using PHP), but no way of getting subsequent page heights because no way of knowing what the url/location changes to in the iframe.

As this is an external url in the iframe the usual security limitations apply, therefore ALL solutions must come from the parent frame. Solution must be workable on FF and IE at least.

The only think I can think of is to test whether the scrollbars are visible on the iframe, but this is seemingly impossible in these circumstances.

If anyone can prove me wrong, or has any other javascript/ajax/php cross-browser solution I'd love to hear it.

Day
  • 8,635
  • 3
  • 52
  • 92
Owen
  • 6,527
  • 10
  • 52
  • 72
  • See this question: http://stackoverflow.com/questions/466672/set-iframe-to-height-of-content-for-remote-content – Zach Nov 01 '10 at 21:40
  • Yes I saw that question. But here I stated it emphatically "ALL solutions must come from the parent frame". Most suggestions I've seen involve coding of some kind on the remote page. – Owen Nov 02 '10 at 13:10

1 Answers1

8

It is not possible to do this because of the browser's security model. If it was possible, that would be a security problem and would have to be fixed.

Although letting the embedding site know the height of a third party webpage when embedded in the page seems harmless, this can leak information to the embedding site that the browser's user wants to keep private. For example, http://www.facebook.com/ renders differently depending on whether or not you are logged in, so if my website can work out the height of <iframe src="http://www.facebook.com/"> then I can work out whether or not you are a facebook user, something you probably don't want me to know.

The information leakage would be similar to the infamous CSS History Leak in that it would reveal information about the user's relationship with the third-party site just by "linking" to that site (in this case with an iframe instead of a link). Browser vendors had to plug the CSS History Leak, so I suspect if you could work out the height of a third party site rendered in an iframe in any browser, the vendor would have to fix that too.

The information leaked would be anything that can be inferred from the height of a page when rendered for a user using their cookies (which the browser will send even though rendering in an iframe inside a different domain's page). The specific risks depend entirely on the nature of the embedded site being "attacked". E.g. I could get an idea of how much stackoverflow activity someone visiting my site has by getting the height of https://stackoverflow.com/reputation which is different for different users.

Day
  • 8,635
  • 3
  • 52
  • 92
  • Hmmm.. me and 500 million others ;-) All you have is anonymous information, ie, SOMEONE is logged in. – Owen Nov 04 '10 at 10:05
  • 3
    Not exactly. I know that YOU, the person viewing my webpage is logged in. Gives me opportunity to better target a phishing attack at you. Instead of facebook, I could have secretly worked out which one of 37 different banking sites you use. Note the information leaked is similar to the CSS History Leak which caused quite a stir and a scramble to get fixed, see http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/ if you're not familiar with that one. – Day Nov 04 '10 at 15:56
  • Being in control of the parent frame you already know the first url (facebook or bank) that is loaded into the iframe. No secrets there to begin with. This is not the same as the CSS history leak (thanks for the link) but is more comparable to knowing a hyperlink used to exit your site. The only "extra" you might get is that the user has a login at the remote site... which is no suprise to you as they are using the url you supplied to the iframe. In other words, that information would be a fair guess anyway. – Owen Nov 06 '10 at 13:41
  • @Mark Flint I didn't say it was the *same* as the CSS history leak, only similar. I don't really see the similarity with knowing the link used to leave your site. You say the *only* extra you might get is that the user has a login at the remote site - might seem like a trivial matter to you personally, but it is nevertheless an information leakage that a user would be involuntarily making to the owner of the embedding site, and so should be (and is!) prevented by the browser. I don't understand your comment about this being "no surprise" and a "fair guess". – Day Nov 06 '10 at 14:47
  • OK, by "fair guess" I meant that if you provide an iframe pointing to www.facebook.com, then you can presume that those who use it will logon to Facebook. That's a fair guess. Regarding info leakage - I'm not saying it's trivial - just trying to understand the risks. The guys who write the Mozilla security blog said issues such as CSS history leak create "more paranoid netizens". To say there is a risk without qualifying it is like saying don't go out of your front door because there are risks out there. It's the old debate of security vs. usibility :-) – Owen Nov 08 '10 at 10:37
  • The risk is that the embedding site could learn anything about the user's relationship with the third-party, embedded site that can be inferred from the height of a page rendered for that user. The specific risks depend entirely on the nature of the embedded site being "attacked". E.g. I could get an idea of how much activity you have on stackoverflow by getting the height of http://stackoverflow.com/reputation. – Day Nov 08 '10 at 13:14
  • Also, regarding your clarification of "fair guess". You seem to be saying that there are lots of people with facebook accounts, so it's a fair guess that someone viewing the my website will have a facebook account. But the attack would let me know, 100% for certain, whether or not the user viewing my site has a facebook account they are logged into right now. No need to guess. And note the iframe doesn't have to be visible. There's nothing special about facebook which was just an example - for facebook please substitute any website you like, including your online bank. – Day Nov 08 '10 at 13:24