Set iframe to height of content for remote content

iframe height xss
10,307

Solution 1

(My answer to a similar question)

It is not possible to do this without some control over the page being iframed because of the browser's security model. If it was possible, that would be a security problem and would have to be fixed.

Although letting the embedding site know the height of a third party webpage when embedded in the page seems harmless, this can leak information to the embedding site that the browser's user wants to keep private. For example, http://www.facebook.com/ renders differently depending on whether or not you are logged in, so if my website can work out the height of <iframe src="http://www.facebook.com/"> then I can work out whether or not you are a facebook user, something you probably don't want me to know.

The information leakage would be similar to the infamous CSS History Leak which browser vendors had to plug.

Solution 2

Is it possible to resize an iframe to fit the content when the iframe src attribute is for a page outside of the domain of the page containing the frame?

It is possible to get around the cross-site limitation and have an iframe set to the height of it's content, but it can be a bit awkward to get it to work.

The solution involves working around the security model by having the iframed content itself iframe a page on the the same server as the parent page, with which it can communicate. I've answered a similar question to this before here, which goes in to a fair bit of detail on the ins and outs of setting it all up.

The caveat on the described approach is that you must have means of getting your iframed content to itself iframe a page on the parent server. This is usually achieveable when the iframed content is there as part of an agreed partnership between sites, but YMMV.

Share:
10,307
Rick
Author by

Rick

Updated on July 11, 2022

Comments

  • Rick
    Rick almost 2 years

    The question of how to make your iframe fit 100% of your content (using JavaScript) has been answered on the forum already... for iframes displaying content from the same domain only.

    My questions: Is it possible to resize an iframe to fit the content when the iframe src attribute is for a page outside of the domain of the page containing the frame? The browser security features surrounding cross-site scripting prevent me from accessing the document object for the iframe.

    I'm looking for any creative solution. One of my thoughts was to somehow detect that scrollbars were visible on the iframe, and to incrementally increase the height until they weren't. Unfortunately I can't find any way to detect visible scrollbars either. Ideas?

    Please note that I am looking for a client-side solution.

    Responses:

    Dave

    The problem still exists - I don't know the height of the remote document ahead of time, so I can't set it from a database or querystring value.

    dusoft

    100% on the iframe in CSS will not set it to 100% of the content inside the iframe, but relative to the the page or containing element (i.e., a div or something).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

dynamically resize iframe height based on dynamic content
Internet Explorer X-Frame-Options ALLOW-FROM not working in IE 11 and Edge
How do I disable XSS/"Same Origin" checking on Chrome?
Iframe width and Height values
How to change height of iframe based on dynamic conent within the iframe?
JS - iframe height with 100% and no scroll (Scroll-y in body)
jQuery adjusting iframe height
Error: Permission denied to access property "document"
iFrame Height Auto (CSS)
Set iframe content height to auto resize dynamically