Need to get the id of the iframe postMessage came from.

I need to get the id (or some identifying information) of the iframe "parent.postMessage" was used in when the listener event triggers.

The code below works for the local page (1.htm) but not for cross domain pages which makes no sense because the iframe id is purely local information.

Home page code:
var eventMethod=window.addEventListener?"addEventListener":"attachEvent";
var eventer=window[eventMethod];
var messageEvent=eventMethod=="attachEvent"?"onmessage":"message";
eventer(messageEvent,function(e){
    alert("Message coming from iframe:"+e.source.frameElement.id)
}
<iframe id="iframe1" src="1.htm"></iframe><br>
<iframe id="iframe2" src="http://differentDomain.com/2.htm"></iframe><br>
<iframe id="iframe3" src="http://differentDomain.com/3.htm"></iframe><br>

Open in new window

1.htm, 2.htm and 3.htm code:
<script language="javascript">parent.postMessage("ready","*");</script>

Open in new window

For 2.htm and 3.htm I get the following error:
Error: Permission denied to access property 'frameElement'
Note: This identity can't be streamlined inside the postMessage,
example: parent.postMessage("i'm #2! :D","*"), I need to identify the iframe entirely with the  local Javascript in a way where I can load all the iframes at the same time.

Thanks guys, I will continue my Googling and bow to your superior knowledge :)
GrrWolfieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
Cross domain iframes cannot communicate with the parent page and vice versa.
Unless you specify allow headers on the domains.
0
GrrWolfieAuthor Commented:
Cross domain iframes cannot communicate with the parent page and vice versa.
Unless you specify allow headers on the domains.
Can this be done in the HTML?

Useful Resource:
http://www.w3.org/TR/2008/WD-html5-20080610/comms.html#origin1
The data attribute represents the message being sent.

The origin attribute represents, in cross-document messaging, the origin of the document that sent the message (typically the scheme, hostname, and port of the document, but not its path or fragment identifier).

The lastEventId attribute represents, in server-sent dom events, the last event ID string of the event source.

The source attribute represents, in cross-document messaging, the Window from which the message came.
0
GrrWolfieAuthor Commented:
Here's the solution however i'd love confirmation that the homepage can't be "tricked" into thinking a message from one iframe is coming from another through any manner of man-in-the-middle attack. Thankyou :)

var eventMethod=window.addEventListener?"addEventListener":"attachEvent";
var eventer=window[eventMethod];
var messageEvent=eventMethod=="attachEvent"?"onmessage":"message";
eventer(messageEvent,function(e){
    var frames=document.getElementsByTagName('iframe');
    for(var i=0;i<frames.length;i++){
        if(frames[i].contentWindow===event.source){
            alert("Message coming from iframe:"+frames[i].id)
            break;
        }
    }
}
<iframe id="iframe1" src="1.htm"></iframe><br>
<iframe id="iframe2" src="http://differentDomain.com/2.htm"></iframe><br>
<iframe id="iframe3" src="http://differentDomain.com/3.htm"></iframe><br>

Open in new window

Worthy of note: The following will recognize the difference between 2.htm and 3.htm even though the content is the same.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

COBOLdinosaurCommented:
When you allow anything cross domain you risk the possibility that it will create an attack vector.  Whether or not someone finds a way to exploit what you are doing only time will tell. Using code from that site where security is concerned is always risky.  I removed the link because links to competing sites are a violation of the terms of use.

The first principle of security is not to let anyone know how you do things.

Cd&
0
GrrWolfieAuthor Commented:
Oh thanks, I had no idea about that! :X, thankfully the link didn't hold any additional info I didn't post.

Yeah I always assume for the worst-case scenario, good advice. ;)

Specifically i'm wondering if 2.htm or 3.htm could in some way impersonate 1.htm in the line:
if(frames[i].contentWindow===event.source)

Open in new window

0
COBOLdinosaurCommented:
With the code you have I don't see how 1.htm could be impersonated as long as it the first one.  It would take some pretty sophisticated code injection to come close to that and there would have to be some kind of access point to do that.  So nothing in security ever being certain; I would say with 99% certainty that I don't think you have to be concerned about that.

Cd&
0
GrrWolfieAuthor Commented:
as long as it the first one
very interesting, I can't see how the order would make a difference? (this is under the assumption that the homepage is not compromised)

I don't need much detail, just interest in the why. :)
0
COBOLdinosaurCommented:
An attack would have to use a code injection delivered by a virus that can load with the page and hide in the DOM. An attack targettng the first element of an array from the DOM is easier for AV active scanning to pickup, because of the way memory is managed during the creation of your frames variable; so most hackers will avoid index 0 to reduce the risk of triggering a virus alert.

Cd&
0
GrrWolfieAuthor Commented:
My answer fixed the problem and provided the necessary code to replicate. COBOLdinosaur answered all the follow up questions. :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.