Cross-Frame Scripting, IFRAME And Https (access Denied)
Jul 23, 2005
I'm trying to dynamically set the height of my Iframe. my https: main page
is calling another https in an Iframe. But i get an access denied error
from my javascript trying to call the parent document.
Main https page
<IFRAME APPLICATION="yes" style="width:100%;" id="iframename"
frameborder="no" scrolling="no" SRC="https://www.otherdomain.com">
otherdomain.com html
------------------------------------------------
<script>
function bodyheight() {
x = document.body.scrollHeight
parent.document.all.iframename.style.height = x
}
</script>
Is it possible to run an HTML file from "localhost" and bypass the various security checks in place for cross-frame scripting? For example, on a 2-frame page loaded locally:
a) frame 1 includes a form that accepts the name of a web site (example: www.foo.com), which a script or perhaps a "target" attribute then loads into frame 2 b) frame 1 waits for frame 2 to load, then reads (for example) top.frame2.document.images.length and displays the total in frame 1
I realize that "localhost" is not going to match the domain appearing in frame 2, but as I myself am running the script, logically, where is the harm?
I haven't done much testing with this yet, but am planning an application around this concept and am hoping I can make it work. Any pointers?
I have an iframe that is used to access the server so the entire page doesn't reload. The frame works great the first time but after the frame has preformed the query and reloaded, if the script tries to access the frame, I get a "permission denied" error.
I got this working in FireFox if I changed headers to Access-Control-Allow-Origin: * With IE7 I'm getting "Access is denied" error. And with IE7 I can't use XDomainRequest.Is there some workaround besides creating proxy? Like using another request method(PUT?)?
i want to do (multiple) file upload(s) and display a progress bar. with firefox and safari it is no problem at all. only IE makes some problems.
my script is based on ajax-uploader, which can be found at www.srmiles.com/freestuff/ajax_file_uploader/ . you can do multiple file uploads. each upload will have it's own "form"-tag, so that each file is uploaded for its own. could be a good solution if there are "big" uploads.
so here is what i do:
i have a html-page in which several forms with file-input fields are generated. when i now hit the "one" submit button at the bottom of the page a javascript function upload() starts it will iterate through all forms (id='frmUpload_xx'), will get the filename, start a ajax request for the progress-bar function and do a form.submit().
if the first form/file is uploaded, a settimeout('upload()', 1000); is called and the next form will be processed. all form's have an target="uploaddiv", where uploaddiv is a invisible iframe. so the output of the upload script is put in this div. output should only be a "OK" at the end. no usefull output no info no nothing.
firefox and safari are working as expected, only IE stops after the first file is uploaded. i get an javascript error saying "zugriff verweigert/access denied" on object line x... this is the place where i call "form.submit()".
this is the upload-function:
function upload() { if (uploads.length>0) { form = document.getElementById('frmUpload_'+uploads[0]); if (form["filename"].value == ""){ alert("Please Choose a file to upload."); } else { filename = form["filename"].value; if (filename.lastIndexOf("")>0) { filename = filename.substring(filename.lastIndexOf("") +1,filename.length); } else if (filename.lastIndexOf("/")>0) { filename = filename.substring(filename.lastIndexOf("/") +1,filename.length); } makeRequest("upload_progress.php?sid="+sid +"&filename="+filename,progress); form.submit(); } } }
the strange thing is, that filename is filled correct, that means the object "form" is found and exisits. the first iteration is working, only the second ends with an error.
think it have something to do with redirecting the output of the upload-script in an iframe. after that IE can't access form - at least IE is not allowed to submit the form as i can access a form field (filename). i worked on that the last two days and haven't found a solution...
I am using this code to refresh the browser after a iframe has finished loading. Does anyone know a cross-browser one that will work on all browsers. I have tested it on firefox and internet explorer, it seems to only work on firefox.
I need to html encode all text field values on the client just before sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.
All I am trying to do is ensure that if a user enters html tags in the a form, that the tags does not get parsed by the browser.
I have a frame in which there are 2 IFrames., both being loaded from the same domain. One IFrame is loaded from http://test1.xyz.com and the other IFrame is loaded from https://test1.xyz.com/test
I am getting an error while accessing data in the HTTP IFRAME from the HTTPS IFRAME.
Is it possible at all to access the data in the other IFrame, when the protocol is different?
I'm working on a project at the office that pulls together a bunch of our websites into a portal thing and adds a better search engine. We're also trying to accomadate newer browsers (Netscape 7.2, Firefox, Safari) and are having some problems. The websites run on different servers, all of which we control, so we are setting the document.domain = "ourdomain.com"; in some javascript on ever page. However, we're having problems. We use popup windows for some things, and sometimes these popups want to 'populate' the parent frame window with a new page as a result of a user selection on the popup.
This works most of the time, but not always. For instance, in Netscape 7.2 it just seems to fail with an "access denied..." error in javascript. In Firefox and Safari it opens a new window and populates that instead of populating the original parent window. Can anyone point me at some definitive information about the document.domain property and how to use it effectively?
I'm trying to set up a system similar to Google AdSense that allows other websites to display some HTML content from my site on theirs. I've looked at the show_ads.js file Google uses to display Ads but to be honest I've not found it easy to decipher. I've also read that using a <script> tag to load a JavaScript file from my site is simpler than trying to do do this with an AJAX request. it discusses returning JSON rather than HTML.
BTW I know I could use an iframe to achieve something similar but this won't give me the result I need because the content coming from my site will contain a link back to my site and I want the link to be registered as an inbound link to my site for SEO reasons.
We have a javascript that is vulnerable to XSS because the input to the script is not being checked for strings such as "javascript", "eval", "script" etc. I have seen some snippets of code here and there on how to check the strings but I have not yet found a comprehensive js library that will clean user input of all offending characters. What complicates it is that phishers can encode characters to bypass the usual amateurish attempts to clean strings of offending characters.
I have a page A and inside it I have an iframe B. B points to another php file that shows a form (so basically in the iframe we see a form). When I submit the form, I call to another page C that verifies the fields of the form and if they are ok I redirect to page X, if not I redirect to page Y. The problem is that I see page X and Y inside the iframe, and I want to see them in the parent page.
I'm trying to access window opener properties for some ad code. Sometimes the launching page is in a different domain, and i need my script to recognize this fact and move on to something else without producing the "permission denied" error for all users to see. i've already got if(opener){etc.} in there but that still returns as true, even though we theoretically can't access properties of the opener which is in another domain.
Can anybody think of any solutions that don't involve ugly active X objects? I guess what i'm basically looking for is some way of saying "if permission is denied on this object, don't try to access it's properties and set to a default value instead".
I cannot seem to fix this problem; I get an access denied error with the line colored red below. I am not calling this up from another domain, it is simply a popup that has a few parameters. Works fine in Firefox. code...
Is there any way to resize an iframe dynamically to the height of its content that works cross browser and works when the iframe content is on another domain than the main page (I have access to both pages, so code can be put in either) Also, it must resize when links in the iframe are clicked (ie when a new page within the iframe is loaded)
My HTML page loads and alerts an XML document on another machine. If I request the page by machine name or localhost there is no problem. If i request by IP access denied error occurs.
I think this is because of that only the documents on same machine can be loaded. Is there any way to load xml documents from another machine?
For some reason, when I create a new window using "myWin = window.open(url)", and then try to get the location of the window using "alert(myWin.location)", it tells that access is denied. How can it be denied...it's a window I created...therefore, shouldn't I have access to it's location property?
In that poupup window, the user loads a number of different pages (by submitting forms and clicking on buttons), some of which are in a different domain. But eventually, the user comes back to a page that is in the same domain as the page in the main window.
On this page, I'm trying to execute the following script:
Yes, there is a form on the page that has been sitting in the main window this whole time. However, I'm getting an "access denied" error. Any thoughts?
a little backstory.. I had the script running fine on my computer. . transfered them to my laptop, and the script still found and parses the xml like it should. however, i zipped them and sent it back to myself and now all the values come back undefined.
[Code]...
fairly straight forward and simple.. but values of x[0].textContent is coming back undefined.. i have all files (html, js, and xml) in the same folder on my desktop. they worked perfectly fine before when they were just on my desktop.. but now that won't even work.
I have a form with an input type='file' element. I click on the Browse button of my file upload element, select a file, and hit open. The file name appears in the textbox portion of the file upload element (as expected). When I submit this form everything works perfectly.
On the same form I have a hyperlink that simulates clicking on the Browse button of the file upload element. It does this by using the file upload element's name and the click() method. I click on the hyperlink and the file dialog box opens as if I had clicked the Browse button. I select a file and hit open. The file name appears in the textbox portion of the file upload element - just like it should. BUT ... when I try to submit this form I get a javascript error that says "Access is Denied". The error is not on the next page, it's on this page - that is, the form never actually gets submitted and processed. There can be no doubt that this is a client-side error.
I've seen a lot of posts about this from a couple years ago but no solutions. Does anyone have any ideas? It's really important that I can launch the file open dialog box from a hyperlink.
I am in the unusual situation of knowing EXACTLY what is causing the above error on my page, but I do not know what to do about it. The problem is in a Javascript function that gets any style attribute of any element, whether that style comes from an inline or external stylesheet declaration. The function is this: Code:
