简体繁体 English

在来自不同域的iFrame上运行bookmarklet

[英]Running a bookmarklet on an iFrame that is coming from a different domain

原文 2010-12-19 05:11:09 9 3 javascript/ security/ iframe/ bookmarklet

Is there any way to run a bookmarklet on an iFrame which is from a different domain? 有没有办法在来自不同域的iFrame上运行bookmarklet？

For example, I have a page loaded from http://example.com , which has an iFrame whose source is set to http://example2.com . 例如，我有一个从http://example.com加载的页面，它有一个iFrame，其源代码设置为http://example2.com 。 When I run the bookmarklet, it is always run on http://example.com , since that is the main page. 当我运行bookmarklet时，它总是在http://example.com上运行，因为那是主页面。 I want to run it on the other iFrame though. 我想在另一个iFrame上运行它。

When I attempt to interact with the iFrame (eg by changing its source attribute to javascript:alert('test') ), Chrome shows the following error: 当我尝试与iFrame交互时（例如，通过将其源属性更改为javascript:alert('test') ），Chrome会显示以下错误：

Unsafe JavaScript attempt to access frame with URL http://example.com from frame with URL http://example2.com . 不安全的JavaScript尝试与URL访问框架http://example.com从框架与URL http://example2.com 。 Domains, protocols and ports must match. 域，协议和端口必须匹配。

I tried dragging and dropping the bookmarklet into the frame, but it says: 我尝试将书签拖放到框架中，但它说：

Failed to load resource 无法加载资源

Is there any way for me to interact with an iFrame using a bookmarklet in Chrome? 有没有办法让我在Chrome中使用书签与iFrame交互？

3 个解决方案

There is a way to do cross-domain message-passing (not arbitrary code execution) using window.postMessage , yet all a frame A can do to frame B (when they are not of the same origin ) is passing it a message hoping that B has a callback function listening for this message. 有一种方法可以使用window.postMessage进行跨域消息传递（而不是任意代码执行），但是所有帧A都可以对帧B（当它们不是同一个源）做的时候传递一个消息希望B有一个回调函数侦听此消息。

So here if you control exemple2.com (what's in the frame that don't get the bookmarklet), you can make the bookmarklet pass a message to the iframe and handle it in the iframe. 所以这里如果您控制exemple2.com（框架中没有得到书签的内容），您可以让书签将消息传递给iframe并在iframe中处理它。

Else I don't think you have a solution here, except very complicated ones (like proxying). 否则我认为你没有解决方案，除了非常复杂的解决方案（如代理）。

Other links: 其他链接：

One option if you are not in control of the page or the iframe is to load the iframe into a new window. 如果您不控制页面或iframe，则可以选择将iframe加载到新窗口中。 The src attribute of the iframe is available to read by the parent JS, which can then open a new tab or window. iframe的src属性可供父JS读取，然后可以打开新的选项卡或窗口。 The user can then click on the bookmarklet a second time to load it into this new page. 然后，用户可以再次单击书签，将其加载到此新页面中。

iFrames have alot of security on them as do ajax calls. 与ajax调用一样，iFrame对它们有很多安全性。

Any attempt to use these in a cross-domain manner will result in a security error. 任何以跨域方式使用这些的尝试都将导致安全性错误。

Imagine you were able to interact with other iFrames on different domains. 想象一下，您可以与不同域上的其他iFrame进行交互。 You would be able to make an iFrame (like facebook login's page) that had width and height of 100% and add a function to execute on a submit event which would email you the username and pass before submitting. 您可以制作宽度和高度均为100％的iFrame（如facebook登录页面）并添加一个函数来执行提交事件，该事件将通过电子邮件向您发送用户名并在提交前通过。

So you're gonna have a lot of trouble accomplishing what you're trying to do. 所以你要完成你想要做的事情会有很多麻烦。 You basically can't mess with a page that you don't own. 你基本上不能搞乱你不拥有的页面。 You can use firebug to edit it with the html tab though. 您可以使用firebug来编辑html选项卡。

Hope that helps 希望有所帮助