A 20 minute version for dotjs of my iframe abuse talk
A less than useful look atthe abuse the iframe takes.Remy Sharp • @rem • Left Logic
View Slide
2007: detect globals2008: jsbin2010: jsconsole2011: responsivepx
2008: 1.jsbin.com
2010: 2.jsbin.com
2012: 3.jsbin.com
framesets
Amazingly still work!two frames side by side
document.body = frameset
Scott Isaacs @ Microsoft 1997
iframe support dropped inXHTML 1.1Lack of support in IE7meant iframes stuck around.
Foundation of early comettechniques 2000/2006var iframe = document.createElement('iframe');iframe.style.display = 'none';document.head.appendChild(iframe);iframe.src = '/live-stream';require('http').createServer(function (req, res) {res.writeHead(200, { 'content-type': 'text/html' });res.write(sendPadding());setInterval(function () {res.write(getLiveData());}, 1000);});
iframe must be in DOM tostart writing to itvar window = iframe.contentWindow ||iframe.contentDocument.parentWindow;
function iframe() {var iframe = document.createElement('iframe');document.body.appendChild(iframe);return iframe.contentWindow ||iframe.contentDocument.parentWindow;}var window = iframe(),document = window.document;document.open();document.write(myAwesomeHTML);document.close();
Load won't fire until .close iscalled - though content loads
Take a generated iframe outof the DOM, it'll reset
Dynamic iframes don'tbehave like regular windows!
The "stick it in an iframe" bit
Auto-play!Missing on mobile?iOS 4 only :(
Site doesn't have JSON API?Put their HTML embed in aniframe and scrape away!
Detecting globals
Mobile WebView(PhoneGap, Chrome for iOS, etc)
Click-jackingWatch out!
Preventable in IE9+ viaX-Frame-Options: SAMEORIGIN
Damn you mobile version
"Damn flash-ad is showingthrough the dropdown!"
Sync loading can be offloadedto iframes, as it won't block theparent frame.
Factory reset a Samsung S3?
x-frame comms
For bi-directional non-sockets comms
Used in jsconsole's remote
your mobile siteadd <br/>iframe<br/>origin: jsconsole.com<br/>jsconsole.com<br/>postMessage &<br/>onmessage<br/>EventSource<br/>Ajax post<br/>
Set "base" origin viadocument.domain
iframe a.com– iframe b.com— iframe a.comDeep communicationhttp://bit.ly/cross-domain-barrier
Passing data before loadevent via: window.name
Sandboxingiframe return "clean" object
Enable appcache onunknown urls
•Request / == "app chrome"•All other urls include iframe to light manifest page•Manifest says: FALLBACK: /* /•Therefore: any request to an unknown url, the"app chrome" will load via the fallback
Future / Now / Good Parts• postMessage/onMessage• seamless• srcdoc• sandbox="allow-same-originallow-forms allow-scripts"http://benvinegar.github.com/seamless-talk/
In the next episode:setTimeout!Remy Sharp • @rem • Left Logicleftlogic.com/hiring
rem
linedevth
miyake
shimacos
non97
rigolon
grimoh
hmatsu47
kenta_hi
hiashisan
bengo4com
miu_crescent
pistatium
jrom
chriscoyier
chrisshort
eileencodes
pedronauck
tmm1
jacobian
stephaniewalter
jcasabona
lemiorhan
holman
colly