CEF Forum

Forum for support and discussion of the Chromium Embedded Framework (CEF)
https://magpcss.org/ceforum/

Prevent calling top frame' native methods from an iframe

https://magpcss.org/ceforum/viewtopic.php?f=6&t=15944

Page 1 of 1

Prevent calling top frame' native methods from an iframe

PostPosted: Tue Apr 24, 2018 9:48 am
by ldamis
Hi everybody.

I try to explain myself better that I can...

I've implemented some native functions in C++ that can be called by Javascript and I've registered them with CefRegisterExtension in CefRenderProcessHandler::OnWebKitInitialized() method.
My purpose is to avoid that these function being called by an iframe inside the top frame.

For example.
My function in Javascript is triggered calling MyNativeFunction()
With this code I'm able to call this function from an iframe:

Code: Select all
if(window.parent)
{
   if(window.parent.MyNativeFunction)
   {
      window.parent.MyNativeFunction();
   }
}


I've tried deleting parent object (window.parent) when CefRenderProcessHandler::OnContextCreated() is called from a frame that is not Main Frame (!frame->IsMain()) and it works.

The question is: is there any other solution to get this result without deleting parent object in iframe window object?

Thanks in advance for any suggestions.

Re: Prevent calling top frame' native methods from an iframe

PostPosted: Tue Apr 24, 2018 1:35 pm
by magreenblatt
Use OnContextCreated and bind your functions in only the frames you want. See https://bitbucket.org/chromiumembedded/ ... gration.md

Re: Prevent calling top frame' native methods from an iframe

PostPosted: Thu Apr 26, 2018 4:32 am
by ldamis
magreenblatt wrote:Use OnContextCreated and bind your functions in only the frames you want. See https://bitbucket.org/chromiumembedded/ ... gration.md


Thanks for the answer, but it does not solve my problem.
I tried, but my native function is still callable from the iframe, via parent object.

I finally solved via C++ implementation of my native function in CefV8Handler::Execute

Code: Select all
current_context = CefV8Context::GetCurrentContext();
frame = current_context->GetFrame();

if (frame->IsMain()) {
   // Execute function
}
else {
   //do nothing
}

Re: Prevent calling top frame' native methods from an iframe

PostPosted: Thu Apr 26, 2018 4:56 am
by magreenblatt
If the frames don't need to script each other you can use iframe sandbox attributes to isolate them: https://www.w3schools.com/tags/att_iframe_sandbox.asp

Re: Prevent calling top frame' native methods from an iframe

PostPosted: Thu Apr 26, 2018 5:36 am
by ldamis
magreenblatt wrote:If the frames don't need to script each other you can use iframe sandbox attributes to isolate them: https://www.w3schools.com/tags/att_iframe_sandbox.asp


Thank you. This information is very useful (I admit that I didn't remember that :? ).

Re: Prevent calling top frame' native methods from an iframe

PostPosted: Thu Apr 26, 2018 7:33 am
by ldamis
I think I will mantain my solution, because, in my specific case, I do not write the HTML and Javascript code of the pages that I need to render.
If I understand well, I need that all iframes inside the page I run, should have "sandbox" attribute.

Injecting "sandbox" attributes to all possible iframes inside my target page could be a little trickier than my solution (even if I can do that in Javascript and not in C++).
Obviously that is only my opinion...
All times are UTC - 5 hours
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/