Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Over-riding alert() with iframe src

Tags:

javascript

overriding

iframe

Here's a sample code:

HTML

<script> alert('This is alert!') </script>

JS

window.alert = function(data)  //alert() over-riding
{
     console.log("Alert over-ridden");
}

Issue:

HTML

<iframe src=javascript:alert('Iframealert')>

JS

window.alert = function(data)  //alert() over-riding
{
   console.log("Alert over-ridden"); //This doesn't execute - I mean, this over-ride function is not called when the above iframe alert is executed
}

I knew iframe in another document is not applicable for parent over-riding (due to same domain policy), but, the src JS execution happens only in the parent.

So, how do I over-ride alert() which is applicable to above iframe tag?

Update 1:

The HTML code is static, and I cannot make any modifications to it. I can only write some JS and append to the HTML.

Is there any way to over-ride the alert() of nested browsing window?

like image 616
verstappen_doodle Avatar asked Nov 23 '25 21:11

verstappen_doodle

1 Answers

Nice question! The answer starts by looking at the rules for what happens when the src attribute is evaluated.

When this happens, the spec follows a number of steps during navigation. We end up step 14, which pertains to javascript: schemes.

Within that step, there are a series of sub-steps, one of which is:

Create a script, using script source as the script source, address as the script source URL, JavaScript as the scripting language, and the script settings object of the Window object of the active document of the browsing context being navigated.

The important thing here is "the Window object of the active document of the browsing context being navigated". Because you're navigating an <iframe>, you're actually dealing with a Nested Browsing Context, which has it's own window, so having overridden the parent window.alert makes no difference.

You can, however, override the alert of the inner window:

document.getElementById('myIframe').contentWindow.alert = function(msg) {
    console.log('Overridden iframe: ' + msg);
}

This will only work for the javascript: scheme url presented to the src attribute, as at the time this code executes we were simply trying to get the address of the page to navigate the <iframe> to. When navigation actually occurs, a new Document object with it's own window is created in step 23 of the navigation steps, at which point you lose your overridden alert.

This also relies on setting the src attribute using JavaScript after you've overridden the alert, you can't use an inline src attribute on the element as the element needs to be in the page to get hold of it and it's contentWindow, and putting it in the page means the src will get evaluated.

Here's a fiddle demonstrating the overriding of the alert within the <iframe>'s src attribute.

like image 183
James Thorpe Avatar answered Nov 26 '25 11:11

James Thorpe
Sign in to Comment

Related questions

ASP.NET MVC Validation: result in a javascript property?
How to hide/disappear address bar using javascript window.open method? [duplicate]
How to wrap _app.js within multiple providers?
adding html content to fullcalender 5.x. event
How to set different bodyparser on specific express route
Node - Access last index of multidimensional arrays
RXJS - Are nested concapMap equivalent to sequential concatMap?
Use pdfMake with data input in Angular 2 / TypeScript
How do I append Pace.js to a custom location in the DOM?
Does JavaScript regex matching require repeated code?
WebPack: Multiple entry points without additional chunks
resizeCanvas doesn't work when slick grid is collapsed
How to implement the button css like Spotify play button in the table row

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!