Access Parent URL from iFrame: Restrictions and Workarounds

Accessing the URL of the parent frame from an iFrame can be a challenge, particularly when the iFrame is located on a different subdomain. This is due to security restrictions imposed by cross-site scripting (XSS) prevention measures.

When accessing the iFrame from the same domain and subdomain as the parent frame, accessing the parent's location should be straightforward using expressions like parent.document.location or parent.window.location. However, as highlighted by the user, this approach fails when the iFrame is on a different subdomain.

To further illustrate this point, consider the example provided where pageA.html is hosted on http://www.mysite.com/ and pageB.html (the iFrame) is hosted on http://qa-www.mysite.com/. Attempting to retrieve the parent's URL from pageB.html will trigger an access denied error. This confirms that subdomains are also subject to cross-site scripting restrictions.

While accessing the parent's URL directly is prohibited under these circumstances, there is a workaround that can be utilized. To obtain the URL of the parent frame, the following JavaScript code can be employed:

var url = (window.location != window.parent.location)
            ? document.referrer
            : document.location.href;

Note:

• window.parent.location avoids the security error caused by accessing the href property (window.parent.location.href).
• document.referrer refers to the URI of the page that linked to the iFrame. This may not return the containing document if the iFrame location was determined by another source.
• document.location refers to the URL of the document, which is the iFrame in this case. When window.location and window.parent.location are identical, the iFrame's href is the same as the parent's href.