I would like to know how to access and modify the contents of a cross domain iframe in JavaScript within a Firefox WebExtension. I understand the limitations of normal JavaScript and that modifying a cross domain iframe would be an XSS vulnerability, but I believe there is some way to do it in a WebExtension that I cannot find. I believe this because the legacy extension manifests had options for allowing cross domain content in the permissions section.

When viewing old code for the legacy versions of FireFox extensions, there seems to be options for cross domain content for certain websites in the fashion below. Although for the new FireFox WebExtension, this is not a feature listed in the documentation.

"cross-domain-content": [""]

Here is my manifest.json file.

{
  "manifest_version": 2,
  "name": "Test Extension",
  "version": "1.0",
  "content_scripts": [
    {
      "matches": ["*://*/*"],
      "all_frames": true,
      "js": [
        "js/main.js"
      ]
    }
  ],
  "permissions": [
    "*://*/*",
    "<all_urls>",
  ]
}

Here is my main.js file.

// Code is being run within an iframe ("all_frames": true)
if (window != window.top) {
  // Attempt to log the source of the parent iframe
  // If cross domain, met throws - Error: Permission denied to access property "frameElement"
  console.log(window.parent.frameElement.src);
}

As you can see in the main.js file, when attempting to print the source for the parent iframe an error is thrown as below.

Error: Permission denied to access property "frameElement"

I want to know how it would be possible to allow a FireFox WebExtension to access and modify the contents of a cross domain iframe. I'm not sure if it is a problem of not putting down the right permission in the manifest, or that I have to use the WebExtension API or something, I just can't find anything on this.

Additionally, if anyone could refer or provide me some examples of modifying the contents of an iframe in this fashion, it would be much appreciated.

I would like to know how to access and modify the contents of a cross domain iframe in JavaScript within a Firefox WebExtension. I understand the limitations of normal JavaScript and that modifying a cross domain iframe would be an XSS vulnerability, but I believe there is some way to do it in a WebExtension that I cannot find. I believe this because the legacy extension manifests had options for allowing cross domain content in the permissions section.

When viewing old code for the legacy versions of FireFox extensions, there seems to be options for cross domain content for certain websites in the fashion below. Although for the new FireFox WebExtension, this is not a feature listed in the documentation.

"cross-domain-content": ["https://www.example."]

Here is my manifest.json file.

{
  "manifest_version": 2,
  "name": "Test Extension",
  "version": "1.0",
  "content_scripts": [
    {
      "matches": ["*://*/*"],
      "all_frames": true,
      "js": [
        "js/main.js"
      ]
    }
  ],
  "permissions": [
    "*://*/*",
    "<all_urls>",
  ]
}

Here is my main.js file.

// Code is being run within an iframe ("all_frames": true)
if (window != window.top) {
  // Attempt to log the source of the parent iframe
  // If cross domain, met throws - Error: Permission denied to access property "frameElement"
  console.log(window.parent.frameElement.src);
}

As you can see in the main.js file, when attempting to print the source for the parent iframe an error is thrown as below.

Error: Permission denied to access property "frameElement"

I want to know how it would be possible to allow a FireFox WebExtension to access and modify the contents of a cross domain iframe. I'm not sure if it is a problem of not putting down the right permission in the manifest, or that I have to use the WebExtension API or something, I just can't find anything on this.

Additionally, if anyone could refer or provide me some examples of modifying the contents of an iframe in this fashion, it would be much appreciated.

• javascript
• jquery
• firefox
• iframe
• firefox-addon-webextensions

Share Improve this question Follow asked Mar 23, 2017 at 6:11 BigBergerBigBerger 1,80344 gold badges2525 silver badges4343 bronze badges 5

• I'm already doing this, you can see this with the code I provided for my manifest file. This does not allow me permission to modify cross domain iframes, it only runs my JavaScript file within the main tab and any iframes within it. – BigBerger Commented Mar 23, 2017 at 6:34
• Did you even bother to read my post? I literally gave my code examples with exactly what you are describing. That is the entire basis of my question, I'm wondering why I am not able to access the content this way. – BigBerger Commented Mar 23, 2017 at 6:45
• Ok, my bad, I actually didn't read carefully. So the problem is not that you can't access the inner iframe, but that you can't access the parent window from this inner iframe. – Kaiido Commented Mar 23, 2017 at 6:55
• So the sandbox allow-top-navigation parameter doesn't seem to work on cross-origin frames whatever we do, but you can still use window.parent.postMessage to municate between the iframe and the main document. The script you injected in the frame has the same restrictions as the framed document. – Kaiido Commented Mar 23, 2017 at 7:15
• I'm indebted to you for mentioning the all_frames option which I didn't know existed and is not documented whatsoever! This allows my content.js to be loaded within every frame, so that each can manage its own iframe or top level document, which means I don't have to worry about cross domain or iframe onload events or anything. – David McHealy Commented Apr 18, 2018 at 13:07

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 6

Directly accessing cross-domain content is not possible

Directly accessing cross-domain content is not, or at least should not, be possible. While there may be a way around this restriction (I have not looked exhaustively), it would not be intentional and would be considered a bug.

Unlike other types of Firefox extensions, WebExtensions are granted permissions to access content on, at most, a domain by domain basis. This is regardless of you specifying "<all_urls>", or "*://*/*" in your manifest.json permissions. Specifying multiple domain permissions does not open up access to cross-domain content. Opening up access to cross-domain content would be a more plex problem, which would, potentially, have its own set of security related bugs. As a result, specifying multiple domains in your permissions just permits you to inject scripts/CSS into multiple matching URLs, without special access to cross-domain content. Thus, there should not be a way to directly access content in, or from, a cross-domain iframe.

Cross-domain content must be accessed with a script injected in that frame

If you want to access that cross-domain content, you must inject a script in the iframe, or top level window, which you desire to access. As mentioned, your ability to inject such scripts/CSS is one of the things controlled by permissions. You can then use message passing (either from/to the content scripts in the top frame/child frame, or relayed through a background script) to municate between the scripts you have injected in the cross-domain frames.

Given that you are already injecting scripts into <all_urls>, and all_frames, you will just need to implement one of the methods of municating between them mentioned above. You will then need to request the information you need from the other script, or pass the information to the other script for processing.