How to get current page loaded url from iframe [duplicate]

Question

I'm using iframe to load faroo.com as default src in frame when i search and move to other webpage using faroo.But still in the iframe src its display faroo.com only i wanted to capture url of page that has loaded in iframe

<!DOCTYPE html>
<html>
<head>
    <script src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.11.1.min.js"></script>
    <script type="text/javascript">
    $(function(){
        $('#frameid').load(function(){
            var z=$('#frameid').attr('src');
            console.log('hi '+z);
        });

        $('#clicked').on('click', function(){
            $('#frameid').attr('src', 'http://www.faroo.com/');    
        });
    });

</script>

</head>
<body>

<iframe width="100%" height="500px" id="frameid" src="" name="iframe_a" ></iframe>

<p><input type="button" value="click me!" id="clicked"></p>

</body>
</html>

The o/p at console.log is always faroo.com not the current website that has loaded

Answer 1

Seem likes there is a hack to make this work and I actually can't believe it's even allowed. This is how it seems to work:

1) Change the domain to match iframe:

document.domain = <iframe_domain>

2) Get the URL like so:

console.log($('iframe')[0].contentWindow.location.href)

In my opinion, this should not have worked, but it does. I tested with the following in Safari, Chrome and Firefox all latest version as of 02/01/2017:

Main: http://subdomain.website.com iframe: http://www.website.com

What do you think? Is this permanently allowed or is it an oversight that will be patched soon?

Update

I started another thread for discussion here regarding browser security.

Isn't This A Serious Browser Security Issue? RE: Cross-Domain iframe Hack

Update 2

Seems like this will always be supported for specific cases.

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy