Using iframes (inline frames) is often considered bad practice since it can hurt you from a SEO point view (contents of the iframes will not be indexed by search engines). But whenever you have an application which doesn’t require indexing of contents (e.g. because the content is only visible after the user has been authenticated and authorized) or you need to embed content from other web sites/apps, iframes provide a nice mechanism to include content in your app and ensure that this doesn’t cause any major security issues.
Please refer to the MDN which contains a good description of iframes and a few examples.
Accessing an iframe and its content
The first step in building using iframes is of course to define an iframe tag in your HTML code which will define where in the DOM, the external resources will be taken over:
<iframe id="iframe1"></iframe>
Now you have added this tag in your HTML code, you will most probably want to access it with JavaScript to set a URL to be loaded, define how the iframe contents should be displayed (e.g. the width and height of the iframe) and maybe access some of the DOM elements in the iframe. This section will show you how this can be done.
Please keep in mind that things are relatively easy when working with iframes which contents are loaded from the same host/domain. If you work with contents from other hosts/domains, you’ll need to have a look at the next sections as well.
Setting the URL and styles of an iframe
Setting the URL which contents need to be loaded in the iframe, just means setting the src property of the iframe object. And styling it can be done by using the style property. Here’s a short example:
var iframe1 = document.getElementById('iframe1');
iframe1.style.height = '200px';
iframe1.style.width = '400px';
iframe1.src = 'iframe.html';
In this case the source for the iframe contents is an HTML page on the same host/domain but you could also define a complete URL pointing to another location.
Detecting when the iframe’s content has been loaded
Before you can access the contents of the iframe, you will have to wait for the iframe contents to be loaded (just like you should wait for the contents of your page to be fully loaded before accessing and manipulating them). This is done by defining an onload callback on the iframe:
iframe1.onload = function() {
// your code here
}
Accessing the contents of the iframe
Once you’ve made sure that the iframe contents have been loaded, you can access it’s document using either the contentDocument property of the iframe object or by using the document property of the contentWindow property of the iframe. Of course, it’s just easier to use contentDocument. Unfortunately, it’s not supported by older versions of Internet Explorer so to make sure that it works in all browsers, you should check whether the contentDocument property exists and if not, revert to contentWindow.document:
var frameDocument = iframe1.contentDocument ? iframe1.contentDocument : iframe1.contentWindow.document;
var title = frameDocument.getElementsByTagName("h1")[0];
alert(title.textContent);
Interactions between iframe and parent
Now that you can load content in the iframe, define how it should be displayed and access its content, you might also need to go one step further and access the parent document (or the iframes properties) from the iframe itself.
Accessing the parent document
Just like we accessed the contents of the iframe from a script in the parent page, we can do the opposite (currently ignoring cross-domain issues) by using the document property of the parent object:
var title = parent.document.getElementsByTagName("h1")[0];
alert(title.textContent);
Accessing the iframe properties from the iframe
If you have some logic based on the styles of the iframe tag in the parent page (e.g. its width or height), you can use window.frameElement which will point you to the containing iframe object:
var iframe = window.frameElement;
var width = iframe.style.width;
alert(width);
Calling a JavaScript function defined in the iframe
You can call JavaScript functions defined in the iframe (and bound to its window) by using the contentWindow property of the iframe object e.g.:
iframe1.contentWindow.showDialog();
Calling a JavaScript function defined in the parent
Similarly, you can call a JavaScript function defined in the parent window by using the window property of the parent object e.g.:
parent.window.showDialog2();
Same Origin Policy
The Same Origin Policy is an important concept when using JavaScript to interact with iframes. This is basically a security policy enforced by your browser and preventing documents originating from different domains to access each other’s properties and methods.
What’s the same origin?
Two documents have the same origin, if they have the same URI scheme/protocol (e.g. http, https…), the same host/domain (e.g. google.com) and the same port number (e.g. 80 or 443).
So documents loaded from:
- http://google.com and https://google.com do not have the same origin since they have different URI schemes (http vs https)
- https://benohead.com and https://benohead.com:8080 do not have the same origin since they have port numbers (80 vs 8080)
- https://benohead.com and https://www.benohead.com do not have the same origin since they have different hostnames (even if the document loaded from www.benohead.com would be the same if loaded from benohead.com)
- http://kanban.benohead.com and https://benohead.com do not have the same origin since sub-domains also count as different domains/hosts
But documents loaded from URIs where other parts of the URI are different share the same origin e.g.:
- https://benohead.com and https://benohead.com/path: folders are not part of the tuple identifying origins
- https://benohead.com and http://user:password@benohead.com: username and password are not part of the tuple identifying origins
- https://benohead.com and https://benohead.com/path?query: query parameters are not part of the tuple identifying origins
- https://benohead.com and https://benohead.com/path#fragment: fragments are not part of the tuple identifying origins
Note that depending on your browser https://benohead.com and https://benohead.com:80 (explicitly stating the port number) might or might not be considered the same origin.
Limitations when working with different origins
A page inside an iframe is not allowed to access or modify the DOM of its parent and vice-versa unless both have the same origin. So putting it in a different way: document or script loaded from one origin is prevented from getting or setting properties of a document from another origin.
Interacting cross-domain
Of course, in most cases using iframes makes sense when you want to include contents from other domains and not only when you want to include contents from the same domain. Fortunately, there are a few options for handling this depending on the exact level of cross-domain interaction which is required.
URL fragment hack
What you would have done 5 to 10 years ago is workaround the limitation by using the fact that any window/iframe can set the URL of another one and that if you only change the fragment part of a URL (e.g. what’s after the hash sign #), the page doesn’t reload. So basically, this hack involves sending some data to another iframe/window, by getting a reference to this iframe/window (which is always possible), adding a fragment (or changing it) in order to pass some data (effectively using the fragment as a data container and setting the URL as a trigger event).
Using this hack comes with two main limitations:
- This hack doesn’t seem to work anymore in some browsers (e.g. Safari and Opera) which will not allow child frame to change a parent frame’s location.
- You’re limited to the possible size of fragment identifiers which depends on the browser limitation and on the size of the URL without fragment. So sending multiple kilobytes of data between iframes using this technique might prove difficult.
- It may cause issues with the back button. But this is only a problem if you send a message to your parent window. If the communication only goes from your parent window to iframes or between iframes, then you won’t see the URL and bookmarking and the back button will not be a problem.
So I won’t go into more details as how to implement this hack since there are much better ways to handle it nowadays.
window.name
Another hack often used in the past in order to pass data from an iframe to the parent. Why window.name ? Because window.name persists accross page reloads and pages in other domains can read or change it.
Another advantage of window.name is that it’s very easy to use for storage:
window.name = '{ "id": 1, "name": "My name" }';
In order to use it for communicating with the parent window, you need to introduce some polling mechanism in the parent e.g.:
var oldName = iframe1.contentWindow.name;
var checkName = function() {
if(iframe1.contentWindow.name != oldName) {
alert("window name changed to "+iframe1.contentWindow.name);
oldName = iframe1.contentWindow.name;
}
}
setInterval(checkName, 1000);
This code will check every second whether the window.name on the iframe has changed and display it when it has.
You seem to be able to store up to 2MB of data in window.name. But keep in mind that window.name was never actually not designed for storing or exchanging data . So browser vendor support could be dropped at any time.
Server side proxy
Since the single origin policy is enforced by the browser a natural solution to work around it is to access the remote site from your server and not from the browser. In order to implement it, you’ll need a proxy service on your site which forwards requests to the remote site. Of course, you’ll have to limit the use of the server side proxy in order not to introduce an exploitable security hole.
A cheap implementation of such a mechanism, could be to use the modules mod_rewrite or mod_proxy for the Apache web server to pass requests from your server to some other server.
document.domain
If all you’re trying to do is have documents coming from different subdomains interact, you can set the domain which will be used by the browser to check the origin in both document using the following JavaScript code:
document.domain = "benohead.com";
You can only set the domain property of your documents to a suffix (i.e. parent domain) of the actual domain. So if you loaded your document from “kanban.benohead.com” you can set it to “benohead.com” but not to “google.com” or “hello.benohead.com” (although you wouldn’t need to set it to “hello.benohead.com” since you can set the domain to “benohead.com” for both windows/frames loaded from “kanban.benohead.com” and “hello.benohead.com”).
JSON with Padding (JSONP)
Although not directly related to the inter-domain and inter-frame communication, JSONP allows you to call a remote server and have it execute some JavaScript function define on your side.
The basic idea behind JSONP is that the script tag bypasses the same-origin policy. So you can call a server using JSONP and provice a callback method and the server will perform some logic and return a script which will call this callback method with some parameters. So basically, this doesn’t allow you to implement a push mechanism from the iframe (loaded from a different domain) but allows you to implement a pull mechanism with callbacks.
One of the main restrictions when using JSONP is that you are restricted to using GET requests.
Cross-Origin Resource Sharing (CORS)
CORS is a mechanism implemented as an extension of HTTP using additional headers in the HTTP requests and responses.
Except for simple scenarios where no extra step is required, in most cases enabling CORS means that an extra HTTP request is sent from the browser to the server:
- A preflight request is sent to query the CORS restrictions imposed by the server. The preflight request is required unless the request matches the following:
- the request method is a simple method (i.e. GET, HEAD, or POST)
- the only headers manually set are headers set automatically by the user agent (e.g. Connection and User-Agent) or one of the following: Accept, Accept-Language, Content-Language, Content-Type.
- the Content-Type header is application/x-www-form-urlencoded, multipart/form-data or text/plain.
- The actual request is sent.
The preflight request is an OPTIONS request with an Origin HTTP header set to the domain that served the parent page. The response from the server is either an error page or an HTTP response containing an Access-Control-Allow-Origin header. The value of this header is either indicating which origin sites are allowed or a wildcard (i.e. “*”) that allows all domains.
Additional Request and Response Headers
The CORS specification defines 3 additional request headers and 6 additional response headers.
Request headers:
- Origin defines where the CORS request comes from
- Access-Control-Request-Method defines in the preflight request which request method will later be used in the actual request
- Access-Control-Request-Headers defines in the preflight request which request headers will later be used in the actual request
Response headers:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Expose-Headers
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
How does it work?
The basic CORS workflow with preflight requests looks like this:

The browser send an HTTP OPTIONS request to the remote server with the origin of the page and the request method to be used. The remote server responds with an allowed origin and allowed methods headers. The browser then proceeds with the actual HTTP request. If you want to use some additional headers, an Access-Control-Request-Headers will also be sent in the OPTIONS request and an Access-Control-Allow-Headers will be returned in the response. You can then use this additional header in the actual request.
CORS vs. JSONP
Although CORS is supported by most modern web browsers, JSONP works better with older browsers. JSONP only supports the GET request method, while CORS also supports other types of HTTP requests. CORS makes it easier to create a secure cross-domain environment (e.g. by allowing parsing of responses) while using JSONP can cause cross-site scripting (XSS) issues, in case the remote site is compromised. And using CORS makes it easier to provide good error handling on top of XMLHttpRequest.
Setting up CORS on the server
In order to allow CORS requests, you only have to configure the server to add the following header to its response:
Access-Control-Allow-Origin: *
Of course, instead of a star, you can also return a single origin (e.g. benohead.com) or using a wildcard in the origin (e.g. *.benohead.com). This header can also contain a space separated list of origins. In practice, maintaining an exhaustive list of all allowed origins might be difficult, so in most cases you’ll either have a star, a single origin or a single origin and an origin containing a star e.g. benohead.com *.benohead.com. If you want to support a specific list of origins, you’ll have to have the web server check whether the provided origin is in a given list of allowed origins and return this one origin in the response to the HTTP call.
And if the requests to the web servers will also contain credentials, you need to configure the web server to also return the following header:
Access-Control-Allow-Credentials: true
If you are expecting not only simple requests but also preflight requests (HTTP OPTIONS), you will also need to set the Access-Control-Allow-Methods header in the response to the browser. It only needs to contains the method requested in the Access-Control-Request-Method header of the request. But usually, the complete list of allowed methods is sent back e.g.:
Access-Control-Allow-Methods: POST, GET, OPTIONS
Security and CORS
CORS in itself is not providing with the means to secure your site. It just helps you defining how the browsers should be handling access to cross-domain resource (i.e. cross-domain access). But since it relies on having the browser enforce the CORS policies, you need to have an additional security layer taking care of authentication and authorization.
In order to work with credential, you have set the withCredentials property to true in your XMLHttpRequest and the server needs put an additional header in the response:
Access-Control-Allow-Credentials: true
HTML5 postMessage
Nowadays, the best solution for direct communication between a parent page and an iframe is using the postMessage method available with HTML5. Using postMessage, you can send a message from one side to the other. The message contains some data and an origin. The receiver can then implement different behaviors based on the origin (also note that the browser will also check that the provided origin makes sense).
parent to iframe
In order to send from the parent to the iframe, the parent only has to call the postMessage function on the contentWindow of the iframe object:
iframe1.contentWindow.postMessage("hello", "http://127.0.0.1");
On the iframe side, you have a little bit more work. You need to define a handler function which will receive the message and register it as an event listener on the window object e.g.:
function displayMessage (evt) {
alert("I got " + evt.data + " from " + evt.origin);
}
if (window.addEventListener) {
window.addEventListener("message", displayMessage, false);
}
else {
window.attachEvent("onmessage", displayMessage);
}
The parameter to the handler function is an event containing both the origin of the call and the data. Typically, you’d check whether you’re expecting a message from this origin and log or display an error if not.
iframe to parent
Sending messages in the other direction works in the same way. The only difference is that you call postMessage on parent.window:
parent.window.postMessage("hello", "http://127.0.0.1");