Hello,
I'm working on a project where I would like to load the contents of one webpage (that I'm not hosting) into a webpage that I am hosting with the ability to access the DOM of the non-hosted page.
If anyone has any advice as to whether it's possible to achieve this, I'd love to hear some feedback. Maybe PHP isn't even the answer. Maybe I'm going about this all wrong. I'm definitely open to any suggestions at this point!
Thanks for reading,
DJS
Trying to use PHP to bypass the iFrame 'Same Origin Policy'
Moderator: General Moderators
Trying to use PHP to bypass the iFrame 'Same Origin Policy'
Last edited by djs1 on Mon Jul 15, 2013 9:38 pm, edited 1 time in total.
- mecha_godzilla
- Forum Contributor
- Posts: 375
- Joined: Wed Apr 14, 2010 4:45 pm
- Location: UK
Re: Trying to use PHP to bypass the iFrame 'Same Origin Poli
Hi,
I don't think you'll be able to "include" another site using PHP - you can retrieve the content generated by that site (using cURL, which can be used to generate valid web requests) but PHP won't just treat an external site like a resource that you can include in your own scripts.
In the good old days, you would have done something like this with plain old frames but even then site owners got around other people embedding their sites into other sites by using "framebusting" code - remember that when you load a page into an iframe, the iframe is a child of whichever page opened it, and the page loaded inside the iframe can use JavaScript to determine whether it's the parent page or not. You'll still also need JavaScript to alter the contents of the site you're loading into the iframe, and at this point you'll run into the cross-domain problems - remember that these are a *good* thing, because without them the web would be a dangerous mess of CSRF exploits.
Is your company responsible for developing and maintaining the GUI software? If not, what happens with your carefully designed tutorial software when the interface changes? Based on my limited experience in this area, most 3rd-party site authorisation happens at the back-end - applications such as Facebook and Twitter have their own APIs specifically for this purpose that will validate the integrity of the web requests - but whether you can then turn this into a some kind of "push" model that will trigger a client-side action in the iframe page to (for example) highlight buttons is another matter.
I don't think what you're trying to achieve is impossible by any means, and there might be ways of working around the cross-domain issues, but it certainly sounds like a lot of work for someone
Some support companies would just install remote desktop software on the client's systems when they needed to do this kind of thing.
HTH,
Mecha Godzilla
I don't think you'll be able to "include" another site using PHP - you can retrieve the content generated by that site (using cURL, which can be used to generate valid web requests) but PHP won't just treat an external site like a resource that you can include in your own scripts.
In the good old days, you would have done something like this with plain old frames but even then site owners got around other people embedding their sites into other sites by using "framebusting" code - remember that when you load a page into an iframe, the iframe is a child of whichever page opened it, and the page loaded inside the iframe can use JavaScript to determine whether it's the parent page or not. You'll still also need JavaScript to alter the contents of the site you're loading into the iframe, and at this point you'll run into the cross-domain problems - remember that these are a *good* thing, because without them the web would be a dangerous mess of CSRF exploits.
Is your company responsible for developing and maintaining the GUI software? If not, what happens with your carefully designed tutorial software when the interface changes? Based on my limited experience in this area, most 3rd-party site authorisation happens at the back-end - applications such as Facebook and Twitter have their own APIs specifically for this purpose that will validate the integrity of the web requests - but whether you can then turn this into a some kind of "push" model that will trigger a client-side action in the iframe page to (for example) highlight buttons is another matter.
I don't think what you're trying to achieve is impossible by any means, and there might be ways of working around the cross-domain issues, but it certainly sounds like a lot of work for someone
HTH,
Mecha Godzilla
Re: Trying to use PHP to bypass the iFrame 'Same Origin Poli
Thank you very much for your reply.... you've given me a lot to think about here. I appreciate it.