When we embed an external web page inside a Federated Wiki page using the About Frame Plugin (an `iframe` inside the wiki lineup), we sometimes want the framed page to know where it is being displayed in the wiki, or to let the wiki discover what the framed page is showing. This runs into a deliberate security boundary in modern browsers: > pages cannot read the browser toolbar URL, and cross-origin iframes cannot freely inspect each other’s location or DOM.
The practical problem is simple: the wiki page wants to discover context (the current lineup state and page identity), while the framed HTML page might want to discover the wiki page that contains it, so that it can “attach” itself to the correct lineup or report activity back into the wiki.
# Same Option Option We make the framed content same-origin with the wiki so the parent page can safely introspect the iframe. If the framed HTML is served from the same scheme, host, and port as the wiki, then the wiki page can read the iframe’s current URL and coordinate state directly through normal JavaScript access, because the Same-Origin Policy no longer blocks it.
This is easiest when you control the framed content and can host it under the wiki origin, and it can also be approximated by serving remote content through a proxy under the wiki’s origin, though that approach adds operational complexity and can create new security responsibilities.
# Option C i We pass the wiki context into the iframe explicitly as part of the iframe URL. Instead of trying to “discover” the wiki page from inside the frame, the wiki page constructs the iframe `src` with a parameter that identifies the wiki page or lineup context, such as `?wikiPage=some-slug` or a fragment like `#wikiPage=some-slug`.
The framed page can then read that value from its own `location` and use it to align itself with the correct wiki page without needing any access to the parent window or the browser UI. This approach works even when the iframe is cross-origin, because reading your own URL is always allowed, but it only provides the context you explicitly include.
# See