[#19337] - com_wrapper iframeHeight function blocked.
- Closed
- 7 Jun 2019
- Medium
- Build: master
- # 19337
Steps to reproduce the issue
Use com_wrapper to put an iframe in a module.
Expected result
No js console errors
Actual result
In Chrome:
VM1127:66 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://www.xxxx.co.uk" from accessing a cross-origin frame.
at HTMLIFrameElement.contentDocumentDesc.get [as contentDocument] (<anonymous>:66:14)
at iFrameHeight (http://www.xxxx.co.uk/media/com_wrapper/js/iframe-height.js:5:55)
at HTMLIFrameElement.onload (http://www.xxxx.co.uk/:809:19)
System information (as much as possible)
Joomla 3.8.3.
Chrome 64-bit v63.0.3239.84 on Windows 10 Pro 64-bit 1709.
Additional comments
The html causing the issue is:
<iframe onload="iFrameHeight()" id="blockrandom"
name=""
src="https://yyyy.com/"
width="100%"
height="500"
scrolling="auto"
frameborder="0"
title="Discord"
class="wrapper" >
No iframes</iframe>
and it is the call to the iframeHeight js function in the main site from inside an iframe that appears to be the cause of the error.
| Labels |
Added:
?
|
||
Yes - the issue is that the approach of trying to execute a JS function in the main window from inside an iframe is that it breaks cross-site security rules and is blocked.
So #19136 will not work for this reason (though it also has another issue - I have tested it and reported a js error).
franz-wohlkoenig
- | Category | ⇒ | com_wrapper |
There is nothing we can do for this, this is something that users need to understand and enable the script (auto height) only for domains they control
My point is that this concept needs to be withdrawn from Joomla - Joomla should not be using inappropriate functionality nor creating error messages in the JS console.
This functionality is totally fine for the same or domains that you might have control.
| Status | New | ⇒ | Discussion |
- Is there another way of achieving the same goal without attempting cross-domain JS? Perhaps using simple CSS (which I haven't tried) like:
<div style="overflow:hidden">
<iframe
src="http://www.example.com"
frameborder="0"
style="overflow:hidden;height:100%;width:100%"
height="100%" width="100%">
</iframe>
</div>
-
How about testing for domains of parent and iframe being the same and only running this if they are?
-
Make the use of iframeHeight optional, and also provide an option for HTML5
sandbox="allow-scripts"attribute with warnings about security consequences. -
See whether David Bradshaw's iframe-resizer would solve this.
| Labels |
Added:
J3 Issue
|
||
As stated by @dgrammatiko this is beyond our control and the option and its limits are described correctly - please close - if I have misunderstood something it can always be reopened
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-06-07 22:34:07 |
| Closed_By | ⇒ | joomla-cms-bot |
| Closed_By | joomla-cms-bot | ⇒ | Quy |
Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/19337
Try #18916
Although I think this code will never execute for different domains due to browsers restrictions