Frack he did it again.
In a meeting with the department mgr and going over a request feature *we already discussed ad nauseam* that wasn’t technically feasible (do-able, just not worth the effort)

DeptMgr: “I want to see the contents of web site A embedded in web site B”
Me: “I researched that and it’s not possible. I added links to the target APM dashboard instead.”
Dev: “Yes, it’s possible. Just use an IFrame.”
DeptMgr: “I thought so. Next sprint item …what’s wrong?…you look frustrated”
Me: “Um..no…well, I said it’s not possible. I tried it and it doesn’t work”
Dev: “It’s just an IFrame. They are made to display content from another site.”
Me: “Well, yes, from a standard HTML tag, but what you are seeing is rendered HTML from the content manager’s XML. It implemented its own IFrame under the hood. We already talked about it, remember?”
Dev: “Oh, that’s right.”
DeptMgr: “So it’s possible?”
Dev: “Yea, we’ll figure it out.”
Me: “No…wait…figure what out? It doesn’t work.”
Dev: “We can use a powershell script to extract the data from A and port it to B.”
DeptMgr: “Powershell, good…Next sprint item…”
Me: “Powershell what? We discussed not using powershell, remember?”
Dev: “It’s just a script. Not a big deal.”
DeptMgr: “Powershell sounds like a right solution. Can we move on? Next sprint item….are you OK? You look upset”
Me: “No, I don’t particularly care, we already discussed executing a powershell script that would have to cross two network DMZs. Bill from networking already raised his concern about opening another port and didn’t understand why we couldn’t click a link. Then Mike from infrastructure griped about another random powershell script running on his servers just for reporting. He too raised his concern about all this work to save one person one click. Am I the only one who remembers this meeting? I mean, I don’t care, I’ll do whatever you want, but we’ll have to open up the same conversations with Networking again.”
Dev: “That meeting was a long time ago, they might be OK with running powershell scripts”
Me: “A long time ago? It was only two weeks.”
Dev: “Oh yea. Anyway, lets update the board. You’ll implement the powershell script and I’ll …”
Me: “Whoa..no…I’m not implementing anything. We haven’t discussed what this mysterious powershell script is supposed to do and we have to get Mike and Bill involved. Their whole team is involved in the migration project right now, so we won’t see them come out into the daylight until next week.”
DevMgr: “What if you talk to Eric? He knows powershell. OK…next sprint item..”
Me: “Eric is the one who organized the meeting two weeks ago, remember? He didn’t want powershell scripts hitting his APM servers. Am I the only one who remembers any of this?”
Dev: “I’m pretty good with powershell, I’ll figure it out.”
DevMgr: “Good…now can we move on?”

GAAAHH! I WANT A FLAMETHROWER!!!

Ok…feel better, thanks DevRant.

I was hired as a senior software engineer. During handover I found out I'm actually replacing the CTO.

I queried why he was leaving and got a simple "just want a break from working" which I found odd.

Fast forward and now I also just want a break from work, permanently. This place has followed every bad practise and big no-no out there. Every bit of software is a built in house knockoff janky piece of crap that doesn't work and makes people's jobs 5000 times harder.

The UI looks worse than Windows 3.1, absolutely horrendous code formatting, worst database structure I've ever seen.

The mere mention of using a team communication tool results in being yelled at from the CEO whom communicates purely via email, who then gets annoyed when you don't reply because they sent the email to a client instead of you.

We get handed printed out "tickets" to work instead of the so called "amazing in house ticket system" built using PHP 5 and is literally crammed into an 800x600 IFrame. Yes a F$*#ing IFRAME!

It's not like we have an outdated TFS server that has work items we can use...

Why not push for changes you say. I have, many times, tried to suggest better tools. The only approval I've gotten is using PhpStorm. Everything else is shutdown immediately and you get the silent treatment.

The CEO hired me to do a job, then micromanages like crazy. I can't make UI changes, I can't make database changes, why? They insists they know best, but has admitted multiple times to not knowing SQL and literally uses a drag and drop database table builder.

Every page in the webapps we make are crammed into 800x600 iframes with more iframes inside iframes. And every time it's pointed out we need to do something, be it from internal staff or client suggestions, the CEO goes off about how the UI is industry leading and follows standards.. what in the actual f....

Literally holding on by a thread here. Why hire a CTO under the guise of being a senior developer but then reduce the work that can be done down to the level of a junior?

Sure the paycheck is really nice but no job is worth the stress, harassment and incompetent leadership from the CEO.

They've verbally abused people to the point they resign, best part is that was simply because the CEO made serious legal mistakes, was told about it by the employee then blamed it on others.

I'm about to put an iframe in an Angular app that displays a Java applet. This isn't development, it's a suicide note

Dear those who did microsoft sharepoint front-end,

Fuck you

P.S. There is still 3 levels of iframe and table, but I can't show it because it contains data

So yesterday a friend of mine closed a ticket which has been open for around two years: "Automatically publish job offers in our internal wiki."

This was the conversation between him and HR.
- Friend: They're all on our website. Why should they be in our wiki too?
- HR: So that our employees can see them and recruit people for us.
- Friend: How about I just put the link in our wiki?
- HR: No, no links. They should all just be in our wiki.
- Friend: *<iframe src="website"></iframe>*

Now HR and everyone else is happy.

So the embassy of X country in X country wanted me to move their website from hover.com - so I checked the particular site.

And it is just an iframe to a wordpress.com website, and they had no idea.

When you build a fully responsive web app and the client IT dept goes and sticks it in an iframe on their Sitecore site 😱

Boss: We need to disable CSRF and any other form of security, because that shitty, insignificant client has a website that is abomination anyone's eyes, can't pay because of the iframe thingy.

Me: I'd advice against it. This is a significant security issue that just screams to be exploited and there has to be a solution, but idk much about this situation.

Boss: Idk we need to kiss every clients ass till they come. Remove all the security

Me: *Just wants to get home, last one in the office besides the boss* fine
*removes it, deploys and gets the fuck home*

...2 weeks later

Payment gateway: Yeah, we blocked your account, because someone was trying to purchase 30k product in a span of 1h

I'm not even mad about that, but rather about the fact I fucking called it.

* Achievement unlocked: Targeted by scammers

P.s. no major damages, cause the guys from the payment gate understand shit about security.

Every time I say "fuck it just use an iFrame"

This fcktard client that insist on using an iframe and demands support for browsers like IE7. You are costing me years of my life.

Fucking fuck of a Microsoft trying to protect people against tracking from 3d parties in an iframe in random ways in some versions of IE7. Or IE11 in IE7 compatibility mode.

If you are going to refuse sessions just do it! I got a fucking check and fix for that. Because these fuck faces friendly people at Apple like to refuse sessions on iPads and iPhone too. But we worked that out, because they are at least consistent. So a few dirty little hacks made it all Okay.

But no, Boo Hoo I'm Microsoft and I will throw a tantrum. I like my browsers to be like an magican, instead of an usefull piece of software. If you look in this page, or look here we got them. I got your sessions​, safe and secure.

But when you need me, to verify that the user is allowed to access data we do a little hocus pocus and now they are gone. Nowhere to be seen or found again. Fun times free fucking magic shows all day long.

It's morning but maybe its time for a bottle of scotch. Maybe if I'm in the state as this browser. Where I don't know what I'm doing because I'm shitfaced drunk it will start working.

When in Rome do as the romans do.

I used to work for a company that had a main website and a lightweight app. LW app was distributed to partners and added to other sites using an iframe.

Someone decided a requirement was to retain the shopping cart for anonymous users. Some dev thought the best way to do that was to issue auth cookies to anonymous users.

The auth cookie issued by the LW app was actually for the main site. A few users for LW app decided to just come to main site to make a purchase. Since they already had an auth cookie (issued from LW app), they were never prompted to log in, create an account, or use guest checkout on the main site. They were still able to complete their order and we had their shipping address, but we didn’t have their email address so we couldn’t contact them about their order.

Customer service had no way to email customers if something went out of stock or if there was a product recall. CS would have to call these customers and ask for email addresses. Good luck getting anyone to answer or return a call nowadays. Customers were asking where their confirmation email was. The admin website was polluted with “users” that had the placeholder email for non-logged in users.

This happened because of a combination of an understaffed and overextended engineering department. Of course when something goes bad it’s going to be bad.

TOI needs better Web devs 😂

This fucking teacher was my "Web Design" teacher in high school.

Okay, yes, I acknowledge that this is an entry level course, but does that honestly mean that we need to teach the same source taught to students in the 90s? You know, the one where all layouts are table/iframe-based?

I understand that I completely disregarded your set criteria for grading by using CSS to create my website rather than tables and I frames, however I believe that it's fairly logical to conclude that anyone using CSS has a sufficient comprehension of HTML to be able to pass your stupid assignments. So why must time be wasted with coding poorly designed sites?

I gave vimeo video ID to an intern, told her to use vimeo link in iframe and she replaced a youtube video ID in the iframe and told me that it's not working.. facepalm

CSS + Noob + Import html
Hey guys
Need some help here.
Is it possible to include an HTML file inside another HTML file without an iframe? I wanted to create the structure of the page in one file and include it inside another HTML (for example, have one index that dynamically includes an HTML file in a section, called by the menu OR having the menu, top and footer in one or two files and include them in all the other pages...)

Microsoft fucking Sharepoint.

How can software so shitty exist?

To upload an image, I need to F12 and increase the dimensions on an iframe so I can click the save button.

Have any Sharepoint horror stories to share?

I found someone added a webapp I made to their site in an iframe.

The 'dark' box at the bottom of the screenshot is my webapp.

I don't really mind them iframing it. I hate adverts but I don't mind that much that they have adverts on their site.

I am very annoyed however that they have a huge overlay appearing on top telling people to turn off their ad-blocker. Also they use alert() to tell people to share their site on social media!

Being told to turn off my ad-block and having to close alert popup boxes are two of my most hated things.

So now I made a little update to my site so their visitors will see a nice little song playing.

Alright so I’m in the final stages of my companies website. I want advice from you all. Instead of ads for extra revenue, I’m asking you all personally; How would you feel if a website (yes, like what the famous pirating company was doing) used your computers processing power to mine while the website was open? There wouldn’t be any annoying ads and I could simply hide it in an iframe?

Negative and positive feedback please.

I have found a website that allows HTML in comments. They blocked <script>, but not <iframe>. I can just load a script from my personal website using it. What should i do?
(something innocent)

fuck wordpress... Got a request to improve wordpress site speed + pagespeed score. 20-30 plugins, 15 or more additional ones off. Improved the score and noticed that my adblocker is blocking a lot of urls. Sure enough theres a hidden iframe in the bottom with 10 ad network scripts and bidding get requests. Someone is making ad revenue from this shit.. wtf. I've only had problems with shitty wordpress sites being hacked for some reason. It's always a shitty experience. Any tips on fixing hacked wordpress sites?

A question here reminded me of how websites were made long ago. Frames! Remember those little jewels? <frameset> and <iframe>, I still remember them. Man, even then it felt terribly wrong to use them. I remember using them to create web pages with header and side bar.

The only alternative was using <tables>, which, well, we know how they ended up. Frames today have been silently forgotten, but tables have been loudly hated for many years!

Ahhh, those were the times. So much has happened since then.

(Is "website" still a word today, btw?)

Recently, one of my customers filed a ticket because some iFrame he got from another company wouldn't display after putting it into the content editor.
I told her it won't work because the (third-party) editor prohibits JavaScript inside iFrame tags and their attributes for security reasons.
She said ok. She said she'd understood the problem. And then, she reopened the ticket four (4!!!) times for the exact same reason, once because she tried to use a fixed iFrame tag the other company sent to her... still containing JavaScript, of course.

But, yeah... She understood what the problem was. Is clear.

<iframe>

so…

let's make a translation website game thing

ooh! web hosting! check black friday deal!
buys website + hosting
~$100

oooh, let's check out google's translation api

>0.00001$ wtf no i aint paying that shitz or i wouldnt been a h4x3r

how can i work around this?
i know! ill make an iframe and input text as if i were a user

firefox: fuq u bish google isnt allowing framing for its translations

well gonna find another work around tommorow

maybe share the link too :)

Well. I'm simply SO UNFUCKINGBELIEVABLE PISSED RIGHT NOW!! {>,,,<}

I'm implementing a monolithic frontend that embeds different projects which I don't want to alter if not really necessary. So I put them all into iframes, already handled all the security and auth stuff with proxies and so on and now I just want to access the body.scrollHeight property. Which is not even the probelm at all.

The fucking Problem is, that I just can't find a way to hook into any event which fires when all content is loaded and the final scrollHeight is set. Instead it just returns some default value that is set when the iframe element is loaded, but not something that is actually based on it's damn ass-fucking contents!!

Iframes are fucking pricks and I know I'll gonna go to hell for abusing them like this :S

Got one right now, no idea if it’s the “most” unrealistic, because I’ve been doing this for a while now.

Until recently, I was rewriting a very old, very brittle legacy codebase - we’re talking garbage code from two generations of complete dumbfucks, and hands down the most awful codebase I’ve ever seen. The code itself is quite difficult to describe without seeing it for yourself, but it was written over a period of about a decade by a certifiably insane person, and then maintained and arguably made much worse by a try-hard moron whose only success was making things exponentially harder for his successor to comprehend and maintain. No documentation whatsoever either. One small example of just how fucking stupid these guys were - every function is wrapped in a try catch with an empty catch, variables are declared and redeclared ten times, but never used. Hard coded credentials, hard coded widths and sizes, weird shit like the entire application 500ing if you move a button to another part of the page, or change its width by a pixel, unsanitized inputs, you name it, if it’s a textbook fuck up, it’s in there, and then some.

Because the code is so damn old as well (MySQL 8.0, C#4, and ASP.NET 3), and utterly eschews the vaguest tenets of structured, organized programming - I decided after a month of a disproportionate effort:success ratio, to just extract the SQL queries, sanitize them, and create a new back end and front end that would jointly get things where they need to be, and most importantly, make the application secure, stable, and maintainable. I’m the only developer, but one of the senior employees wrote most of the SQL queries, so I asked for his help in extracting them, to save time. He basically refused, and then told me to make my peace with God if I missed that deadline. Very helpful.

I was making really good time on it too, nearly complete after 60 days of working on it, along with supporting and maintaining the dumpster fire that is the legacy application. Suddenly my phone rings, and I’m told that management wants me to implement a payment processing feature on the site, and because I’ve been so effective at fixing problems thus far, they want to see it inside of a week. I am surprised, because I’ve been regularly communicating my progress and immediate focus to management, so I explain that I might be able to ship the feature by end of Q1, because rather than shoehorn the processor onto the decrepit piece of shit legacy app, it would be far better to just include it in the replacement. I add that PCI compliance is another matter that we must account for, and so there’s not a great chance of shipping this in a week. They tell me that I have a month to do it…and then the Marketing person asks to see my progress and ends up bitching about everything, despite the front end being a pixel perfect reproduction. Despite my making everything mobile responsive, iframe free, secure and encrypted, fast, and void of unpredictable behaviors. I tell her that this is what I was asked to do, and that there should have been no surprises at all, especially since I’ve been sending out weekly updates via email. I guess it needed more suck? But either way, fuck me and my two months of hard work. I mean really, no ego, I made a true enterprise grade app for them.

Short version, I stopped working on the rebuild, and I’m nearly done writing the payment processor as a microservice that I’ll just embed as an iframe, since the legacy build is full of those anyway, and I’m being asked to make bricks without straw. I’m probably glossing over a lot of finer points here too, just because it’s been such an epic of disappointment. The deadline is coming up, and I’m definitely going to make it, now that I have accordingly reduced the scope of work, but this whole thing has just totally pissed me off, and left a bad taste about the organization.

I really hate when I have to work on something wrong. I mean, the client wants to embedded a third party service on their website, using iframe. Then, they want us to change the layout and behavior of the embedded page. And well, no matter what, I have to do what they want. Great job.

Latest Yandex browser (Chromium based) throws an error if "document.hasStorageAccess()" is called (:
Ie the StorageAPI that allows cross-site cookie access on user-interaction

the iFrame sandbox flags that compliment it, ie "allow-storage-access-by-user-activation" also fails on execution.
Both of these work on Edge/Chrome/Firefox.

I thought Firefox and Chromium browsers are all ive to deal with and im done but NO.
Now within Chromium-based browsers theres differences of API as well?

Kill me.

Just found out the reason for these extremely useless "Script error." errors we're getting being so useless is, once again, CORS. 😡

"Hey, something went wrong in an iframe. I'm not allowed to tell you what went wrong, or where, but trust me some shit is broken *somewhere*. But you have to figure it out yourself."

If cross-origin blocking were a person I'd kick him in the nuts just for being such a fucking dick all the time.

Hello,

I have gone through all the options that your public API has for syncing data, and i can now officially say that stripping an iFrame of a Google Drive page would be better than the piece of shit mutation methods you have come up with.

Most sincerely,
A fucking annoyed dev that just wasted about 4 hrs on your shit.

> wanting to add an embed google maps to a website I'm working on for fun, with React
> Check the API documentation, excepted their iframe they create from your needs, not much info about how to set in a a js framework
> decide to check if anyone has already created something with React
> They did! 1 american dude, one polish, one last from idk where
> The rest is basic doc so let's try each of them
> Errors, errors everywhere
> Screens stays awefully white
> Spend 2 hours checking, checking and checking again each library
> Each of them have a different problem
> Fuck this, let's copy the iframe thingy from Google's doc, adapt 1 or 2 things because of React and run npm
> Google maps works on first try

I just remembered some of the "harmless" dev-related insults I've received over the years:

1) most recently, I shared a tool with an acquaintance cuz it bears the same name as something he put together a while back. Background: this guy likes to come across as having infinite programming knowledge and brags to his fb pals about being an expert in multiple languages. While trying to make sense of the cryptic docs of the package I sent him, he implies I don't know what the iframe or html5 canvas are. Claims not to elaborate what package does cuz the docs is meant for advanced desktop and mobile devs

It hurt because this is one of few people who know I built suphle, yet thinks so lowly

2) as you can tell from the first point, I share links I consider interesting with relevant contacts. I'm also quite vocal about my (mostly contrarian) takes on occurrences within the dev space that I'm familiar with. One day on the laravel board, this dude is reprimanding me and asks me to take the opinions I read on blogs and tabloids with a pinch of salt, implying I didn't form them independently but was influenced by what was written by some stranger online

It hurt because I expected him to know better. I felt I'd sufficiently proven to have actually built things that informed my school of thought

3) the oldest happened many years ago but I remember it now because the perpetrator called me out of the blue last week. I was teaching his boss, who managed an office but preferred to keep his student status hidden, to avoid being thought incompetent. This caller guy just so turned out to be learning js at the time. Fast forward some years, we all disbanded. He'd landed a dev job and was doing well. So I sent him one of those js gotchas, asking him to explain his answer

After he replied, I told him his answer was close enough but it had more to do with js passing closure arguments by reference. Dude responded that he knew that was the correct answer but wasn't aware I knew what closures meant. That stung me like hell back then. I missed his call and didn't know who owned the contact, so I searched my chats and saw that last interaction. Pain all over again

I just contacted the support of one of our service provider for virtual tours. I told them that the iframe will open the website (in target self) instead of playing the tour, and that our clients will most likely not come back to our site, when they don't see a "go back" or something. Best would be, if the iframe plays instead of opening a new tab.

Supports answer: "I sent you a video, there you can see how to get back to your website"

*sends a video of themself opening his browsing history and clicking our site*

A dream of every UX developer.

Company website had some video playlists that weren't working, because the javascript required to run them was interacting with some of squarespace's scripts, so I dropped the video players in iframes and haven't looked back

Dear devs from the past. Whoever of you thought iframe navigation, js-only frontend and flash were a good way to build a web UI -
well, it's not.
Regards, a person from the future who still can't properly use tabs with your app.

Me and my coworker @tekmeister just spent 2 man-hours trying to find what was causing a random gap at the bottom of our page.

Turns out Google's conversion.js was embedding a 13 pixel height iframe at the bottom of our page.

Fuck you Google.

Fuck Joomla and all of its stupid iframe blocking settings

<iframe src="index5.jsp">

Hello Mr. Tester Guy, At last you finally saw this. I don't know how to say this but I'm sick and tired of your bs!

You wanna know what’s wrong with everything?

I could tell you what’s wrong with this country – or at least I could give you my opinion about it. I could tell you what’s wrong with “the church” (as though all churches are guilty of what some churches do). But I can't fucking tell what your problem is!

Let’s get pragmatic for a second.

I have worked tirelessly for over only God knows how long, trying to get this platform running on all browsers in this world even on obsolete ones (IE7,6,5,4,3... to the shithole).

You are heartless!
After all these pain you still rant about index pages not rendering equally in time across all browsers.
You are a demon from hell!

I could go on, but with your degree in Q.A. (like measuring the margin between two images using a tape-rule or looking for typos in a dummy text) you should understand my point fucking cunt.

I realize I just ranted a little, but I’d like to think that this rant is more of an attempt to end the useless practice of ranting about your moronic findings on this platform.

The devil awaits you in hell, bitch!

</iframe>

Version 1.0 of the system I work on at my job was simply 200+ *.jsp files in a single directory, with many JSP's iframe-ing in other JSP's, sometimes up to 6 iframe layers deep.... now we're implementing a proper hexagonal architecture with a Vue.js frontend, and working with legacy code is an absolute nightmare.

This is how to force an iframe to reload.

Just posted this in another thread, but i think you'll all like it too:

I once had a dev who was allowing his site elements to be embedded everywhere in the world (intentional) and it was vulnerable to clickjacking (not intentional). I told him to restrict frame origin and then implement a whitelist.

My man comes back a month later with this issue of someone in google sites not being able to embed the element. GOOGLE FUCKING SITES!!!!! I didnt even know that shit existed! So natually i go through all the extremely in depth and nuanced explanations first: we start looking at web traffic logs and find out that its not the google site name thats trying to access the element, but one of google's web crawler-type things. Whatever. Whitelist that url. Nothing.

Another weird thing was the way that google sites referenced the iframe was a copy of it stored in a google subsite???? Something like "googleusercontent.com" instead of the actual site we were referencing. Whatever. Whitelisted it. Nothing.

We even looked at other solutions like opening the whitelist completely for a span of time to test to see if we could get it to work without the whitelist, as the dev was convinced that the whitelist was the issue. It STILL didnt work!

Because of this development i got more frustrated because this wasnt tested beforehand, and finally asked the question: do other web template sites have this issue like squarespace or wix?

Nope. Just google sites.

We concluded its not an issue with the whitelist, but merely an issue with either google sites or the way the webapp is designed, but considering it works on LITERALLY ANYTHING ELSE i am unsure that the latter is the answer.

Someone wants me to help them alter the content of an iframe containing job listings from a 3rd party website. I’ve tried to tell them it’s not possible unless they can convince the 3rd party website to change their global job listing template for everyone. The client seems to think they were able to do this before with another prior job listings provider, but they don’t know how it was done and I can’t begin to imagine how either. What would you tell a client to convince them that it’s not possible?

Here is why developers should be involved in project planning.

I had a meeting with a Product Manager and a backend dev about rolling out a new rewards program. My employer has a primary website and a lightweight app that’s can be used in an iframe. It has a hard deadline because the contract for current rewards vendor is expiring.

Me: So is this new rewards program also being rolled out in the LW app?

PM: Users earn rewards on the LW app?

Me: Yes.

We’re in a video call and I can’t see the PM’s face, but I know he’s thinking “fuck.”

Me: So are we going to bring in another front end dev to code the FE for the LW app since we have a hard deadline?

PM: [clearly sounding panicked] Another dev?!

Me: Well, I’m effectively coding the frontend twice. Sure both use React, but they use it in different ways. LW app uses React Redux. I can’t just code one and copy and paste it into the other.

To be fair, this PM wasn’t the point person for the LW app. But this is why devs need to brought in on planning.

So there is this website called 100daysofrunning.in one of the worst design seen ever. They've a submit page which is another app that opens in an iframe.
If you're part of challenge, everyday you've to submit a form. Distance, time, Strava link, date and it's a pain to do so every day.
On the 50th day they restricted the date to7 days, so you cannot post data older then 7 days.
Being a programmer it would have been insult had i entered data manually.
Thanks to casperjs, meteorjs i was able to automate fetch from strava and post on this dumb page.
One day due an error, the script failed and I've missed one day of data entry. That's 2km of running gone invain and I'm out of the challenge.
Programming has mad me lazy. Screw programming. I should've been a dumb idiot to manually add data spending fkin 30 mins, atleast life would be simple.

Motherfuck oh clients! My goodness their requirements.

They want a tiny part of an app load inside an iframe in a different app and have the data communicate both ways and the ui should look seamless and mobile responsive too.

What the actual fuck? iframe in 2016 ? Seriously?

Kinda sad that the whole "seamless iframe" thing never happened. Sandboxed ads and external embeds, what a dream.

This is the story of probably the least secure CMS ever, at least for the size of it's consumer base. I ran into this many years ago, before I knew anything about how websites work, and the CMS doesn't exist anymore, so I can't really investigate why everything behaved so strangely, but it was strange.

This CMS was a kind of blog platform, except only specially authorised users could view it. It also included hosting. I was helping my friend set it up, and it basically involved sending everybody who was authorized a email with a link to create an account.

The first thing my friend got complaints about was the strange password system. The website had two password boxes, with a limit of (I think) 5 characters each. So when creating a account we recomended people simply insert the first 5 characters in the first box, and the rest in the second. I can not really think of a good explanation for this system, except maybe a shitty way to make sure password are at least 5 characters? Anyway, since this website was insecure the password was emailed to you after the account was created. This is not yet the WTF part.

The CMS forced sidebar with navigation, it also showed the currently logged in users. Except for being unreadable due to a colorful background image, there where many strange behaviors. The sidebar would generally stay even when navigating to external websites. Some internal links would open a second identical sidebar right next to the third. Now, I think that the issue was the main content was in an iframe with the sidebar outside it, but I didn't know about iframe's back then.

So far, we had mostly tested on my friends computer, which was logged in as the blog administrator. At some point, we tried testing with a different account. However, the behavior of sidebars was even stranger now. Now internal links that had previously opened a second, identical sidebar opened a sidebar slightly different from the first: One where the administrator was logged in.

We expirimented somewhat, and found that by clicking links in the second sidebar, we could, with only the login of a random user, change and edit all the settings of the site. Further investigation revealed these urls had a ending like ?user=administrator2J8KZV98YT where administrator was the my friends username. We weren't sure of the exact meaning of the random digits at the end, maybe a hash of the password?

Despite my advice, my friend decided to keep using this CMS. There was also a proper way to do internal links instead of copying the address bar, and he put a warning up not to copy links to on the homepage. Only when the CMS shut down did he finally switch to a system where formatting a link wrong could give anybody admin access.

I worked 2012-2016 for a big telco company in my country and there was this HTTPS webpage with an iframe rendering any url you passed over the ?url query param plus a header with the company's logo.

I was on a meeting with some friends in charge of social media and they found it for a user report.

Unbelievable 🤷🏻‍♂️ I remember I tried the page's url itself and it rendered a loop of the header with the company's logo 😂

When I made a PoC xss thingy.

So this webapp (which I was locally hosting) had a message functionality that allowed iframes to be sent through, but they could only originate from a specific domain. They used a bad regex tho, as the workaround was on an OWASP wiki page, which was the third search result for 'XSS'. I then used this iframe to load in a different page on this app where I could inject js in the title field. Then I discovered this field has a length limit, but I could just fit in a script that would base64 decode the hash part of the URL and eval it. I then updated the iframe to include a script that would automatically change the message signature of anyone who loaded it to include the iframe again in their message signature. Because these two pages were from the same domain, I had gained full control of the messaging app too, allowing me to do this and circumvent the csrf system.

I felt like I had achieved something.

Did you guys know that, iframe now can have allow="autoplay" allow="autoplay fullscreen" ?

So I tried to fix an app today that we made for a client ...

It's a Cordova project that's basically jus a wrapper for a certain section of the client's website that's displayed inside an iframe inside said app (with a bit of additional CSS and such). It's all working fine.

Said section of the website offers two to four different options to choose from, then scrolls down (triggered by JavaScript, window.scrollTop or JQuery's equivalent) to the next selection panel that's dynamically added to the DOM tree, the content's depending on what the user selected before.

The problem is, said scrolling effect inside said iframe does not work inside the iOS version of the app (does, however, when the content of the iframe is viewed (by just visiting the URL) inside Safari), instead, the iframe just scrolls back to top.

So after five and a half hours of depression, anger and rage, also some repetetive cursing towards Apple (just like every time something has to do with their awful products), my boss walks in, looks at me and says:

"I'd be fine with it, if I just had to manually scroll instead".

.........

If it wasn't 5pm already (I usually go home at 6), I would've just left the room / gone home or gotten my salad from the fridge to have something to release my anger on.

Seriously though, what the fuck!?

Firefox won't access iFrame's domain's Auth cookies when the iFrame is hosted on a 2nd domain, even when the cookies are Secore,SameSite=None, and sandbox is as lax as possible.

Works on chromium-based browsers.

Looked up SO and it's just "oh im facing the same" x10. FFS.

Why does Firefox behave so retarded. Not doing their shrinking userbase numbers any favour :v

Embed a html into another.
Hey guys
Having a problem here.
I want to embed html files into a main file, so they are called when a button is pressed.
what is the best way?
tried iframe but got a box with borders that I can't resize.
tried js document.write but does nothing.
any other, maby easy way?

Html and CSS and Noob
hey guys
trying to do something, search my ass off and can't find it.
So, I have a e page to access tables (another html file)
you can check It at rjpf.ddns.net .
I have a menu, with links to a iFrame, but that is not a good solution for cellphones.
I want to click the button and insert the html inside the main Div , instead of using frames.

how can I do that ?
so>
click the link(CSS button),
opens another page in the div
when I click another button opens another html file in the same DIV
tht way instead of a frame that is had to scroll It would be a single page, easy to paged own in cellphones.

Have another question but this oné must be taken care of first.

Thanks in adance

Fullscreen support in browsers is a nightmare.

I don't mind vendor prefixes, really. But iOS has different method names entirely and unnatural restrictions. You can't make <div> go fullscreen but you can fullscreen <video> element. And it gets complicated when said video element is inside iframe. The iframe has to have allowfullscreen="true", so you need to make another feature detection for that!

From a client... "Would [company] supply their banner in an iframe so we could put it on our site."

Lolwut

Has anyone used YouTube iFrame API?
I do ask first here before going on SO.

I am trying to play a YouTube video in sync from 2 different computers.

Luckily YouTube iFrameAPI has an event called `onStateChange` that is fired every time a video is paused, played, stopped etc.

This is the scenario...

1. Host creates a session and sends the link to guest.
2. Guest connects with the host.
3. Host plays/pauses/goes to specific time in the vide the video. The video is synced on guest session.

Now I have to figure out how to sync when Guest does an action. The thing is, every time an event is triggered in Host, it sends the command to Guest. The guest obeys BUT THEN the event `onStateChange` is triggered on guest and sends the command to Host. It is an infinite loop that I cannot seem to figure out if the onStateChange is triggered from API or from User interaction.

What I have tried so far...

1. Global variables. No luck.
2. Disable the event handler when the guest is gets data from host and after it finishes syncing, activate the event handler. But the handler still triggers.
3. Timeframe. (an ugly one) . Checks when the last time that event was triggered. If it was less than 1.5 seconds (or other second), it does not send the commands to host.

So, some of you know that I'm having struggle manipulating Youtube iframes with jquery or plain javascript, please note that the same thing can be done via YouTube API but I personally do not want to rely on API,

So after 2 days of struggling I've officially given up, I feel so fucking angry and sad at the moment I can't even describe.

For some solutions to work I need SSL certificates.

the closest I could get was $(iframe#youtubeiFrame)['content'];

This leads to the youtubeIframe root #document but I am unable to access that DOM

Next task, to configure another IDE except Eclipse for Demandware.

$options = array('Aptana'=>'IDE','IntelliJ=>'IDE','VSCode'=>'textEditor');

when a client say
"I know Html and CSS do I get a discount if I embed your application in an Iframe"

I think I found out why Cengage hasn't gotten back to me on their root-server issue: They're leased by next.tech (that's their name and URL) and it's literally an iframe from them inside like 7 Cengage iframe wrappers (which is also why it runs like ass apparently!)

next.tech supplies cengage with the actual heavy lifting, and cengage is literally a shitty wrapper for it.

"Our SmartScaled infrastructure ensures your users have a secure computing environment available in seconds." fucking bullshit i'm already root in my own personal server you've handed to me

What's the deepest nested iframe you've ever worked on. Has anyone done work on an ifrane within an iframe with in an iframe?

Since my question, in all likelihood, won't get answered on StackOverflow, I hope I can ask it here instead. I hope that's alright.

So, I am currently developing a Feathers + Nuxt boilerplate, and am using localStorage to store the jwt.
But I noticed if I set the localStorage with the jwt manually, it will act as if I'm logged in, bypassing the entire login-function. So I solved this by using an iframe with a script that clears localStorage (and log out the user, if logged in) when something changes in the localStorage (by using the eventListener "storage"). (I am also observing the iFrame if someone deletes it, in the console, and re-inserts itself).

My question is if this would carry any security risks? Like, would this be a bad thing to do, security wise? Is it alright to leave it alone and let users/visitors to set the jwt manually?

got a client who wants me to "stream pdf files instead of serving them so users cant download or print them".

as far as I know this is impossible. but he replied we dont care if an IT guy figured out a way to get it but we want majority of normal people to be unable to figure a way around it.

if im gonna need to show ms word and pdf files i will need an iframe or object embed and i cant disable right clicks or listen on ctrl s / p.

any ideas or should i not go for the project :(

I got one problem I have some data in local storage. Now i have set iframe with another website. I need to pass local data into form inside iframe. but it gives me Cross Site permission issue. Any suggestions.?

Say a JS 'widget' is embedded inside a domain abc.com
the widget's content is retrieved from xyz.com (API?), the API also returns a custom URL (think of it as a tracker) that the JS adds to the DOM of abc.com, inside an iFrame.
Essentially making this iFrame hosting xyz.com content/page while existing in abc.com domain
Now this iFrame's page makes its own requests to 3rd party sites, would that mean the 3rd party would see the request originating from xyz.com (iFrame page) or abc.com (the site hosting the iFrame)?

Fuck these untestable iframe drag and drop file upload Drupal piece of shit.

I need help trying to explain to my boss. Iframes are going to load slow no matter what. Then he shows a page where a iframe loads pretty. decently well. He fucking doesn't understand that even a blank iframe can slow everything.

Msal.js. I give it 3/10..

The docs are duplicated, and in various states of out of date. Half the library seems to be undocumented based on how many edge case bugs I've hit, it offers a popup login but you have to have a set specified white list of urls you can launch the popup from which makes a popup login pointless...

Ontop of that my colleagues shat the bed on it and fucked the whole implementation including the azure b2c setup... We do not even have a backend app listed in the azure b2c apps. The redirect also won't work if you don't instantiate an object in a hidden iframe of your own website that fetches a token... This does not make life easy when you use a SPA framework and you have already implemented a whole pipeline abstracting the creation of this object behind layers dependency injection.. Nice.

After sifting through endless shit I finally have a solution. What a week.

Typical attempt to automate an annoying task, overengeneering more and more for hours, just to find out, that an iframe is blocking my way while searching the DOM. The iframe doesn't show me his descendants (did some research on that), hence the element I'm looking for cannot be queried, which was a main goal.
Great...

Worked around a major blocker using iframes inside modals. The 8 hours saved will become 8 days extra in Web Developer Hell when I have to refactor it fully!

Pray for me :/