com_wrapper iframeHeight function blocked.

[Sophist-UK]

Steps to reproduce the issue

Use com_wrapper to put an iframe in a module.

Expected result

No js console errors

Actual result

In Chrome:

VM1127:66 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://www.xxxx.co.uk" from accessing a cross-origin frame.
    at HTMLIFrameElement.contentDocumentDesc.get [as contentDocument] (<anonymous>:66:14)
    at iFrameHeight (http://www.xxxx.co.uk/media/com_wrapper/js/iframe-height.js:5:55)
    at HTMLIFrameElement.onload (http://www.xxxx.co.uk/:809:19)

System information (as much as possible)

Joomla 3.8.3.
Chrome 64-bit v63.0.3239.84 on Windows 10 Pro 64-bit 1709.

Additional comments

The html causing the issue is:

<iframe onload="iFrameHeight()"	id="blockrandom"
	name=""
	src="https://yyyy.com/"
	width="100%"
	height="500"
	scrolling="auto"
	frameborder="0"
	title="Discord"
	class="wrapper" >
	No iframes</iframe>

and it is the call to the iframeHeight js function in the main site from inside an iframe that appears to be the cause of the error.

[dgrammatiko]

Try #18916

Although I think this code will never execute for different domains due to browsers restrictions

[Quy]

This is for Joomla 3. Try this #19136.

[Sophist-UK]

Yes - the issue is that the approach of trying to execute a JS function in the main window from inside an iframe is that it breaks cross-site security rules and is blocked.

So #19136 will not work for this reason (though it also has another issue - I have tested it and reported a js error).

[dgrammatiko]

There is nothing we can do for this, this is something that users need to understand and enable the script (auto height) only for domains they control

[Sophist-UK]

My point is that this concept needs to be withdrawn from Joomla - Joomla should not be using inappropriate functionality nor creating error messages in the JS console.

[dgrammatiko]

This functionality is totally fine for the same or domains that you might have control.

[Sophist-UK]

1. Is there another way of achieving the same goal without attempting cross-domain JS? Perhaps using simple CSS (which I haven't tried) like:

<div style="overflow:hidden">
    <iframe 
        src="http://www.example.com" 
        frameborder="0" 
        style="overflow:hidden;height:100%;width:100%" 
        height="100%" width="100%">
    </iframe>
</div>

2. How about testing for domains of parent and iframe being the same and only running this if they are?

3. Make the use of iframeHeight optional, and also provide an option for HTML5 sandbox="allow-scripts" attribute with warnings about security consequences.

4. See whether David Bradshaw's iframe-resizer would solve this.

[brianteeman]

As stated by @dgrammatiko this is beyond our control and the option and its limits are described correctly - please close - if I have misunderstood something it can always be reopened

[joomla-cms-bot]

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/19337