i was trying to inject script inside an iframe element trying to implement this way, child and parent does not belong to same domain (i know XSS is prevented in latest browsers) is there any way to inject script to child element of button click on parent element. (kinda similar running scripts in chrome console)

var myIframe = document.getElementById("myIframeId");
var script = myIframe.contentWindow.document.createElement("script");
script.type = "text/javascript";
script.src = "randomshit.js";
myIframe.contentWindow.document.body.appendChild(script);

i was trying to inject script inside an iframe element trying to implement this way, child and parent does not belong to same domain (i know XSS is prevented in latest browsers) is there any way to inject script to child element of button click on parent element. (kinda similar running scripts in chrome console)

var myIframe = document.getElementById("myIframeId");
var script = myIframe.contentWindow.document.createElement("script");
script.type = "text/javascript";
script.src = "randomshit.js";
myIframe.contentWindow.document.body.appendChild(script);

• javascript
• html
• iframe
• inject

Share Improve this question Follow edited Feb 23, 2013 at 15:17 Mr.Me 9,29655 gold badges4141 silver badges5151 bronze badges asked Feb 23, 2013 at 14:54 Bhargav KrishnaBhargav Krishna 22711 gold badge44 silver badges1212 bronze badges 1

• No, the cross domain origin policy prohibits this. The pages can municate using messages though. – Benjamin Gruenbaum Commented Feb 23, 2013 at 15:03

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 9

Nope. Same Origin Policy dates back to Netscape 2.0.

Unless you can hack/XSS the other site's files to inject the JS, you will have a hard time.

Now if you legitimately need to municate with the other page, and you either have control of the other page or can setup it to municate with your server, you can use window.postMessage, JSONP or even Ajax with CORS (latter 2 will be harder to pass dynamic content though). But I believe it is not the case.

using chrome extension add this to manifest { "matches": ["<all_urls>"], "all_frames": true, "js": ["captcha.js"] } and using console you can use this: `var firstIframe = window.frames[0]; console.log(firstIframe);

// Access the contentDocument of the iframe var iframeDocument = firstIframe.document;

// Use jQuery within the iframe to select '.img-action-text' elements var elements = $(iframeDocument).find('.img-action-text');`