| 9:12 pm on Nov 21, 2011 (gmt 0)|
No, if it were possible it would big one big security hole/nightmare.
| 9:26 pm on Nov 21, 2011 (gmt 0)|
Yes, In the last hours I have learn a lot about this issue. Thanks for your response.
| 11:55 am on Nov 22, 2011 (gmt 0)|
Won't work like that because of the SOP but do you know the url of the button when clicked? If so you can emulate the click by using the src attribute on a resource tag. For example an image tag that points to the url of the button when clicked under normal circumstances. When the browser attempts to load the image he will fire this event automatically.
| 2:26 pm on Nov 22, 2011 (gmt 0)|
Sound interesting. But I am talking about an iframe loaded with 3rd party content from another domain.
Have you tried what you say?
And if so can you explain a little more PLZ?
| 2:51 pm on Nov 22, 2011 (gmt 0)|
You can see the source code of an iframe. just enter the src tag as a plain url on the browser and see the source. From there you can see the html for the button.
| 3:07 pm on Nov 22, 2011 (gmt 0)|
Ah, that! Of course I know that. No, is much hard than that. The URL is dynamically formed for each request. No, I can't simulate the link to click it in a controlled environment.
I asked this same issue in SO:
Thanks for your attention...
| 4:40 pm on Nov 22, 2011 (gmt 0)|
The other thing is does the ip of the client plays a role for the 3rd party content/button clicked? I don't know what's the objective here.
If it doesn't matter you can always make your server connect to the 3rd party and then of course you do whatever you like as your server becomes the intermediary.
| 4:53 pm on Nov 22, 2011 (gmt 0)|
Actually now I am trying load my own iframe (served from server) with the 3rd party content. And write some more local code to operate over the content...
| 5:24 pm on Nov 22, 2011 (gmt 0)|
|I am trying load my own iframe (served from server) with the 3rd party content. |
frame, iframe, the same security rules apply, you can do this but . . .
|And write some more local code to operate over the content... |
You can't do this. If it's loaded from your server, you can, but not an external site.
| 5:48 pm on Nov 22, 2011 (gmt 0)|
I just tried. You right.
So all agree that this cross-site operations are impossible?
Indeed we can get iframes' contents easily with jquery contents() method but trigger events inside iframe we do not.
| 6:01 pm on Nov 22, 2011 (gmt 0)|
They aren't impossible they're controllable.
Now if your server requests the content from another server is in essence a client. You can then modify the content anyway you want. So if the button you're looking for has an id (you can add one if it doesn't exist) use the id with the jquery live event. The click event won't work just like that because the content is dynamically loaded. And you don't need an iframe in this case.
| 6:33 pm on Nov 22, 2011 (gmt 0)|
enigma1 the 3rd party content ALWAYS is framed. I can't control that. To be straight we are talking about code that it is called with a couple of js lines in the client page. This js lines dynamically creates an iframe to load their content. So the content that I want access always is inside of an iframe.
This can be controlled (by the 3rd party) with X-Frame-Options (HTTP headers) that assure that the code is in inside a page served by the owner. So it can't be modified in any way. That together [en.wikipedia.org...] that do not allow (some actions, not all) cross-site coding makes impossible "click over a button inside a dinamically loaded iframe containing 3rd party content"
That is what I am understanding now more and better.
| 7:52 pm on Nov 22, 2011 (gmt 0)|
The procedure is you take the src link from these js lines (this should be possible, because that's what the browser is going to use to create the request anyways), you do an fsockopen (or curl) in PHP, and you make a request to the other server from your server. The content that comes back is now open to do whatever modifications you want, in other words you act as an elite proxy. This is not SOP and you can emulate whatever you want, send cookies, headers etc. The other end doesn't know the way you browse the content.
And lets assume the other server may send the X-Frame-Options header or any other header, why do you care about it since it will be your server the receiving end, not a real browser.
But if you depend on the original client's IP/origin, then yes there is no point doing that. Because when you emulate the click, it will be your server's ip that will show up on the other end, not the original client.
| 8:19 pm on Nov 22, 2011 (gmt 0)|
I have used curl a lot in scraping jobs and I know that can send any HTTP header to fool the target server.
Indeed my code must run into a Firefox addon without any server side backend. And even in that case the issue remains. Code framed is well protected. And be framed is a condition imposed by the 3rd party to respond.
Thanks to all!
| 6:22 pm on Nov 23, 2011 (gmt 0)|
Methinks you missed the point - though I wouldn't condone this practice, :-)
- point your iframe at server side SCRIPT instead of third party site (and devise some way to tell it "which site")
- Server side script CURLS third party site
- third party site is now the output of server side SCRIPT which is now **on your server,** not on third party site
- You can modify the contents of this frame because the content comes from your server.
| 6:34 pm on Nov 23, 2011 (gmt 0)|
I have think is this type of solutions. But, as I told him to enigma1, I can't use server side scripting. This is for a Firefox addon.