Workaround Unsafe JavaScript attempt to access frame and ad-hoc solution

I know this subject has been largely discussed and there is no way to get the parent frame modify the children frame due to security reason.

BUT

I'm developing a ad-hoc solution fo开发者_StackOverflow社区r some clients, we can configure their browser and eventually install plugin ( which will be the "fail" solution). We would like to configure the browser (chrome or whatever ) to NOT protect the browser from this.

My aim is to inject a JavaScript into their website without having any access to their website.

I actually use a php proxy which works... pretty bad ( how to keep the links when they are loaded dynamically via JavaScript? ) and I would not like to develop a Firefox plugin because it s a bit heavier and longer to set up I guess.

Any idea?

Your question is not that clear. But if you want to load a different domain from the parent in an iframe, there is no way to access it, UNLESS your customer uses an open-source browser and are happy for you to install on their systems a hacked version of the browser that will allow this.

But I can assure you this is not going to happen for a variety of reasons.

tl;dr: you can't.

You can communicate between 2 frames from 2 different domains using window.postMessage for the recent browsers.

If you have to support IE6/IE7 or older browsers, you can use the window.name hack.

Both techniques allow you to pass string data between frames. You need then to have some javascript on both sides that listen to the event and make the action. You don't need to change anything to the browser configuration.

EDIT:

After your comment, here is another option: a bookmarklet. You define a page like this on your site, changing the path to the js file:

<html>
<body>
<a href="javascript:(function(){var s=document.createElement('SCRIPT');s.src='/url/to/your.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(s);})()">Drag'n Drop this to your bookmarks</a>
</body>
</html>

And you ask your users to click the bookmark when they want your code to run.
This will inject the code in the client page, and you are free to do what you want.

Obviously this has a security concern. Your script has full access(content, cookies) in their page. But since you are almost ready to recompile a web browsers for that :) I guess it will work for them.