Access parent URL from iframe

Access parent URL from iframe

Okay, I have a page on and on this page I have an iframe. What I need to do is on the iframe page, find out what the URL of the main page is.
I have searched around and I know that this is not possible if my iframe page is on a different domain, as that is cross-site scripting. But everywhere I’ve read says that if the iframe page is on the same domain as the parent page, it should work if I do for instance:
parent.document.location

parent.window.document.location

parent.window.location

parent.document.location.href

… or other similar combos, as there seems to be multiple ways to get the same info.
Anyways, so here’s the problem. My iframe is on the same domain as the main page, but it is not on the same SUB domain. So for instance I have

http:// www.mysite.com/pageA.html

and then my iframe URL is

http:// qa-www.mysite.com/pageB.html

When I try to grab the URL from pageB.html (the iframe page), I keep getting the same access denied error. So it appears that even sub-domains count as cross-site scripting, is that correct, or am I doing something wrong?

Related:  How to check if JavaScript object is JSON

Solutions/Answers:

Solution 1:

You’re correct. Subdomains are still considered separate domains when using iframes. It’s possible to pass messages using postMessage(...), but other JS APIs are intentionally made inaccessible.

It’s also still possible to get the URL depending on the context. See other answers for more details.

Solution 2:

Yes, accessing parent page’s URL is not allowed if the iframe and the main page are not in the same (sub)domain. However, if you just need the URL of the main page (i.e. the browser URL), you can try this:

var url = (window.location != window.parent.location)
            ? document.referrer
            : document.location.href;

Note:

window.parent.location is allowed; it avoids the security error in the OP, which is caused by accessing the href property: window.parent.location.href causes “Blocked a frame with origin…”

document.referrer refers to “the URI of the page that linked to this page.” This may not return the containing document if some other source is what determined the iframe location, for example:

  • Container iframe @ Domain 1
  • Sends child iframe to Domain 2
  • But in the child iframe… Domain 2 redirects to Domain 3 (i.e. for authentication, maybe SAML), and then Domain 3 directs back to Domain 2 (i.e. via form submission(), a standard SAML technique)
  • For the child iframe the document.referrer will be Domain 3, not the containing Domain 1
Related:  How to remove jQuery Mobile styling?

document.location refers to “a Location object, which contains information about the URL of the document”; presumably the current document, that is, the iframe currently open. When window.location === window.parent.location, then the iframe’s href is the same as the containing parent’s href.

Solution 3:

I just discovered a workaround for this problem that is so simple, and yet I haven’t found any discussions anywhere that mention it. It does require control of the parent frame.

In your iFrame, say you want this iframe: src=”http://www.example.com/mypage.php”

Well, instead of HTML to specify the iframe, use a javascript to build the HTML for your iframe, get the parent url through javascript “at build time”, and send it as a url GET parameter in the querystring of your src target, like so:

<script type="text/javascript">
  url = parent.document.URL;
  document.write('<iframe src="http://example.com/mydata/page.php?url=' + url + '"></iframe>');
</script>

Then, find yourself a javascript url parsing function that parses the url string to get the url variable you are after, in this case it’s “url”.

Related:  Regarding Promises/A+ Specification, what is the difference between the terms “thenable” and “promise”?

I found a great url string parser here:
http://www.netlobo.com/url_query_string_javascript.html

Solution 4:

If your iframe is from another domain, (cross domain), you will simply need to use this:

var currentUrl = document.referrer;

and – here you’ve got the main url!

Solution 5:

For pages on the same domain and different subdomain, you can set the document.domain property via javascript.

Both the parent frame and the iframe need to set their document.domain to something that is common betweeen them.

i.e.
www.foo.mydomain.com and api.foo.mydomain.com could each use either foo.mydomain.com or just mydomain.com and be compatible (no, you can’t set them both to com, for security reasons…)

also, note that document.domain is a one way street. Consider running the following three statements in order:

// assume we're starting at www.foo.mydomain.com
document.domain = "foo.mydomain.com" // works
document.domain = "mydomain.com" // works
document.domain = "foo.mydomain.com" // throws a security exception

Modern browsers can also use window.postMessage to talk across origins, but it won’t work in IE6.
https://developer.mozilla.org/en/DOM/window.postMessage

Solution 6:

The following line will work: document.location.ancestorOrigins[0] this one returns the ancestor domain name.