html – How can I keep track of an input value that I can't access with JavaScript?-ThrowExceptions

Exception or error:

I’m trying to read the value of an input inside a cross-origin iframe, which traditionally isn’t possible due to CORS (as far as I know). The iframed site doesn’t let me access the value of the input, but they do return onfocus and onblur events, which got me thinking: can I listen for onfocus and onblur events from the iframe and onkeydown and onpaste events from the main document and recreate the input value? I’m a little concerned about someone moving their cursor to a different character and continuing to type, but I thought there was a browser API to help keep track of that. I’m not sure how this all comes together, or if this would even be possible. Where do I start? How can I keep track of an input value that I can’t access with JavaScript?

How to solve:

The onblur and onfocus events aren’t actually coming from the document inside of your iframe. They come from the window object of the iframe, saying that the iframe is losing or getting focus. As you noted, there is no way to get the input value from their page within the iframe without using CORS in some way.

It’s usually a really bad idea to try to circumvent a security measure. Think about what you are asking for. Replace the phrase “value of an input” with “stranger’s credit card number.” That’s what you’re asking the web to permit.

The way developers across domains get around these security measures is by collaborating with each other. This is what CORS is about. It still doesn’t allow direct JS hijacking across domains, but it allows two parties to say “We trust each other” enough to share each others’ resources. Then you can work out how to communicate between each other, like fetching data from each other’s servers that track events.

Rather than trying to hijack another site, consider other ways to solve the problem at hand. Password managers, for example, work at the browser extension level instead of the page level and have a different sandbox. But continue to consider if what you’re attempting is opening Pandora’s box for someone else.

Leave a Reply

Your email address will not be published. Required fields are marked *