Basicly I have a cross domain iframe and can't enable the allow-scripts flag, but at the same time I need to get the postMessage that is in a <script> tag in the iframe document OR access the iframe contentDocument.
I've tried:
let iframeElement = document.getElementsByTagName('iframe')[0];
let iframeContent = iframeElement.contentDocument
console.log(iframeContent)
But with the sandbox flag I only get a null return.
What I need to be able to do is one of those three options:
But all of this without the allow-scripts flag, is what i'm trying to archieve even possible ?
The simple answer is no.
An <iframe> with its sandbox attribute restricting the use of scripts can not execute scripts. So you won't be able to call postMessage() from this iframe's context, nor will you be able to fire a callback to an event listener.
Now, since your document doesn't satisfies the cross-origin policies, you are stuck, with no way to interact with the <iframe>'s document from outside.
The only workaround, if this feature is a must have, would be to use your server as a proxy so that your iframe's content be actually fetched and served by your own server.
This way, no cross-origin issue anymore (if you add the allow-same-origin policy on your iframe) and you'll be able to access your iframe's content from your parent's doc, or even add event listeners, even though still no scripts could run from this <iframe>'s context, everything would be ran from the main's doc's context. (This means still no postMessage() from the <iframe>).