In the context of a user script, for example executed by Tampermonkey, is it possible to communicate between two pages of different domains, which set 'X-Frame-Options' to 'SAMEORIGIN'?
I know about this way of sending messages from one page to another by using iFrames and postMessage, but when working with sites you dont control, like in my case Stack Overflow and Google (working on a bot to automate something for myself), you'll get the SAMEORIGIN error when trying to create the iFrame.
But I thought since I'm able to insert script in both pages, it might be possible to pull off some workaround or alternate solution.
One suggestion, a shared worker looked promising, but it seems to require the page to be from the same origin. Also I looked at the Broadcast Channel API spec, but it isn't implemented anywhere yet, and it also seems to be bound to the same origin policy.
Another suggested possibility mentioned so far in the comments is to use the GM API since this is a user-script (extended / special JS features). With GM_xmlhttpRequest we can ignore cross domain restrictions and load google.com, then put it in an iframe, but all the sources will point to the site where the iframe is embedded, so searching the Google page tries to execute the search params on the parent site's domain.
GM_xmlhttpRequest({ method: "GET", url: "https://www.google.com", headers: { "User-Agent": "Mozilla/5.0", "Accept": "text/xml" }, onload: function(response) { $('html').html('<iframe id="iframe"></iframe>'); $("#iframe").contents().find('html').html(response.responseText); }); Maybe I could edit the search requests to point to google.com specifically, rather than letting the search adopt the parent page's domain. And if that fails due to some hangup with the same origin policy, I could even try to replace Google's xmlhttpRequest's with GM_xmlhttpRequest's, but I'm not sure if that can be done since the user script, if you load GM functions, will run in a sandbox, unable to intertwine with the pages scripts if I understand correctly. I'm just not sure.
On the other hand, if we can trick the iframe's contents to treat google.com as the domain for requests, though we're in business, but examples don't seem to exist for this kind of thing, so I'm having trouble figuring out how to make it happen.
1 Answers
Answers 1
Yes, it is possible, via 2 routes:
- Since it's a user-script, you have access to special functions known as GM functions. With
GM_xmlhttpRequest, we can send a request which ignores the same origin policy, allowing us to load the third party page in an iFrame, allowing communication between the frames viapostMessage. The good thing about this is there's no page reloading, but the bad thing is, you will have to dynamically modify the frame's nativexmlhttpRequestto execute aGM_xmlhttpRequestand specify the full target URL, not just a path such as/example.js, otherwise the domain of the outer window will be used in any requests made by the internal frame. - We can use URL queries by openning a tab of the same origin as the page you want to communicate with. Then we can use shared web workers to post messages to any previously opened pages of that domain and send the data from the URL query to the page you want. The pros are you don't have to dynamically modify the pages' scripts, but the cons are that you have to open a new tab for each message between different domains.
0 comments:
Post a Comment