Is there any way to change or block the usage of window.location.ancestorOrigins in iframed sites under Chrome?

For security reasons, I do not wish the iframed page to be able to detect the top url.

Under Firefox, if the <iframe> is pointing to another <iframe>, it solves the issue. But under Chrome, it's still detecting the main website.

Is there any way to change or block the usage of window.location.ancestorOrigins in iframed sites under Chrome?

For security reasons, I do not wish the iframed page to be able to detect the top url.

Under Firefox, if the <iframe> is pointing to another <iframe>, it solves the issue. But under Chrome, it's still detecting the main website.

• javascript
• jquery
• iframe
• browser

• What is a 'security reason' for preventing something you embed on your site from knowing where it's being embedded? I see changing the contents of this array as a security issue, so I'm curious to know your intent. – Seanonymous Commented May 2, 2017 at 18:59
• @Seanonymous it's equivalent to providing a website with your local IP, name, address, as you're the one accessing the site. embed a site and it knows where you e from? sounds bad to me – neaumusic Commented Dec 21, 2019 at 23:30

2 Answers 2

No. And the discussion is going on since 2016! https://github./whatwg/html/issues/1918

This is what you get when google advertising money funds Chrome development.

Also note that on chrome you can override document.referrer via defineProperty(), but not window.location.ancestorOrigins. They really care about that property, just not enough to respect the content security policies on it ¯\_(ツ)_/¯

@seanonymous (new account, can't reply to ments here yet) the usecase is that some sites expose information in the URL that they do not want partners to see. For example, CNN might leverage google or facebook for login information. They are fine sharing with those panies that the user is reading cnn. in exchange for the authorization flow to their ment section. But they might not be ok sharing the article the user wishes to ment on to those panies. This problem has been solved a decade ago by W3c via CSP and referrer control headers. But google implemented this without anybody's ment, just like microsoft did during their IE4~6 market dominance.

The answer is simple : You just can not change it.