Trying to use PHP to bypass the iFrame 'Same Origin Policy'

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
djs1
Forum Newbie
Posts: 2
Joined: Mon Jul 15, 2013 12:14 am

Trying to use PHP to bypass the iFrame 'Same Origin Policy'

Post by djs1 »

Hello,

I'm working on a project where I would like to load the contents of one webpage (that I'm not hosting) into a webpage that I am hosting with the ability to access the DOM of the non-hosted page.

If anyone has any advice as to whether it's possible to achieve this, I'd love to hear some feedback. Maybe PHP isn't even the answer. Maybe I'm going about this all wrong. I'm definitely open to any suggestions at this point!

Thanks for reading,
DJS
Last edited by djs1 on Mon Jul 15, 2013 9:38 pm, edited 1 time in total.
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Trying to use PHP to bypass the iFrame 'Same Origin Poli

Post by mecha_godzilla »

Hi,

I don't think you'll be able to "include" another site using PHP - you can retrieve the content generated by that site (using cURL, which can be used to generate valid web requests) but PHP won't just treat an external site like a resource that you can include in your own scripts.

In the good old days, you would have done something like this with plain old frames but even then site owners got around other people embedding their sites into other sites by using "framebusting" code - remember that when you load a page into an iframe, the iframe is a child of whichever page opened it, and the page loaded inside the iframe can use JavaScript to determine whether it's the parent page or not. You'll still also need JavaScript to alter the contents of the site you're loading into the iframe, and at this point you'll run into the cross-domain problems - remember that these are a *good* thing, because without them the web would be a dangerous mess of CSRF exploits.

Is your company responsible for developing and maintaining the GUI software? If not, what happens with your carefully designed tutorial software when the interface changes? Based on my limited experience in this area, most 3rd-party site authorisation happens at the back-end - applications such as Facebook and Twitter have their own APIs specifically for this purpose that will validate the integrity of the web requests - but whether you can then turn this into a some kind of "push" model that will trigger a client-side action in the iframe page to (for example) highlight buttons is another matter.

I don't think what you're trying to achieve is impossible by any means, and there might be ways of working around the cross-domain issues, but it certainly sounds like a lot of work for someone :mrgreen: Some support companies would just install remote desktop software on the client's systems when they needed to do this kind of thing.

HTH,

Mecha Godzilla
djs1
Forum Newbie
Posts: 2
Joined: Mon Jul 15, 2013 12:14 am

Re: Trying to use PHP to bypass the iFrame 'Same Origin Poli

Post by djs1 »

Thank you very much for your reply.... you've given me a lot to think about here. I appreciate it.
Post Reply