Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cross-Origin issue with iFrame for chrome extension

Tags:

javascript

cross-domain

iframe

google-chrome-extension

I am trying to write a chrome extension for auto-dialing in Google Hangouts so I don't have to enter my conference bridge number for every meeting. Would be nice to have them saved too...anyway, I have the concept sort-of working but I'm trying to get around a cross-origin issue.

When you make a call in Google Hangouts, you start at the contact page and enter the number you want to dial. When you hit enter or click "make call", the dialer is loaded in an iFrame. In my chrome extension, I am able to get a reference to the iFrame however the Frame is under the domain "plus.google.com", and my script is accessing from "hangouts.google.com".

I know they are both under the google.com parent domain, so I'm trying to allow my chrome extension access to the Frame in order to execute .click() on the dialer buttons within the frame's contentWindow.

In my content script in the chrome extensions, I select the iframe element from the parent page and set to a variable called iframe.

var iframe = $("div iframe")[0];

I can set

document.domain = "google.com";

without issues, but when I try to do

iframe.contentWindow.document.domain = "google.com";

I get 

content.js:3 Uncaught SecurityError: Blocked a frame with origin 
"https://hangouts.google.com" from accessing a frame with origin 
"https://plus.google.com". The frame requesting access set "document.domain" to 
"google.com", but the frame being accessed did not. Both must set 
"document.domain" to the same value to allow access.

I've tried relaxing the content security policy in the extension, but maybe I'm not doing it right:

  "content_security_policy": "script-src 'self' https://google.com; object-src 'self'",
  "permissions": [
    "http://*/",
    "tabs"
  ]

Is there a way I can get around this?

like image 813
Josh Avatar asked Nov 08 '22 07:11

Josh

1 Answers

Adding permissions or relaxing CSP will not help in this case.

You need a second instance of a content script in the iframe to manipulate its document cross-domain.

Make sure you inject your content script with "all_frames": true.

You can communicate between content scripts using iframe.contentWindow.postMessage.

like image 73
Xan Avatar answered Nov 15 '22 06:11

Xan
Sign in to Comment

Related questions

Submenu refuses to open on click
Change product price in Cart by custom field, Woocommerce
Display separate search box in select2 multiselect
javascript from ajax doesn't get proper execution
Using Firebase API in Lambda Functions AWS
Go back to previous page without refreshing using jquery, not angularjs
Sublime Text 3: 4 spaces for tab not working only for javascript files
Loading a 3d model from DB and using it in Three.js
How to select combo value on click of enter
Force splice of ng-repeat array whilst using track by
Change tooltip position/arrow
How does webpack's require.ensure work?
How to properly secure password in AngularJS
Insert Google Tag Manager after opening body tag with javascript
MongoError $regex has to be a string
Apply !important to all JS styled ele. Good Idea or No?
Zip file before uploading in Dropzone
How do I use Dynamic CRM endpoints to remove a Contact from a List
Angular2 ngModel change binding on Input type="number"
Angular testing with Karma: "module is not defined"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!