JavaScript - window.location - Permission Denied - Cross Site Scripting

Question

Hello,

This question is a more specific description of the problem I asked on this thread. Basically, I have a web application for which I am trying to use Twitter's OAuth functionality. This application has a link that prompts a user for their Twitter credentials. When a user clicks this link, a new window is opened via JavaScript. This window serves as a dialog. When a user clicks the link, they are redirected to Twitter's site in the dialog. On the Twitter site, the user has the option to enter their Twitter credentials. When they have provided their credentials, they are redirected back to a page on my site in the dialog. This is accomplished through a callback url which can be set for applications on Twitter's site.

All I am trying to do is read the URL of the window that I have opened. I am trying to read the URL to detect a change so I can react accordingly and write to the HTML DOM on the launching page. However, whenever I attempt to read the dialog window's URL, I receive a "permission denied" error. To isolate and re-create the problem, I created the following test which shows the problem.

<html>
  <body>
    <input type="button" value="test" onclick="startTest();" />

    <script type="text/javascript">
      var dwin = null;
      var timeoutID = 0;

      function startTest()
      {
        dwin = window.open("http://www.google.com", "dialog", "height=600,width=800", true);
        timeoutID = setTimeout("timerElapsed()", 1000);   
      }

      function timerElapsed()
      {
        if (timeoutID == 5)
    {
      clearTimeout(timeoutID);
      alert("We're done!");
    }
    else
    {    
      if (dwin != null)
      {
        alert(dwin.location);
      }    
      timeoutID = setTimeout("timerElapsed()", 1000);
    }
      }
    </script>
  </body>
</html>

How do I get dwin.location? I'm really confused. I didn't think this was going to be this difficult.

Thank you for any help you can provide.

Answer 1

You cannot access the opened window URL since cross domain access is prohibited by all browsers. So you need to think of another way to do it.

Answer 2

The short answer is that you aren't going to be able to, unless you revise your strategy.

The simple reason is that you've opened a new browser window. The user could follow links away from your site, and it would be a privacy violation for the browser to let you know what site they are at. URLs themselves are private information if they are not from your site.

The way around this is that if the window popup is your site, the code in that window could post back to the parent window what the current location of the child window is.

Answer 3

Not really an answer to your questions, but :

• using a popup, you'll get hat kind of security restrictions/problems, because you're using another domain
• depending on how you are opening it, the popup might be blocked by popup-blocking functionnalities of the browser
• popups are really annoying for the users !

Is there no way you could avoid using a popup ?

Few days ago, I saw this blog post about Twitter and OAuth : Writing A Simple Twitter Client Using the PHP Zend Framework's OAuth Library (Zend_Oauth)

Even if you are not using Zend Framework nor PHP, that post shows it is possible to use OAuth to authenticate on twitter without using anyking of popup :-)

Why not just have your user redirected to the authentication page of Twitter (inside the current browser's window) when they click the link ? And have them back on the site when they're done authenticating ? There's probably a way to do that with twitter's API ?
Actually, it seems it's possible (quoting your other question) :

On the Twitter site, the user has the option to enter their Twitter credentials. When they have provided their credentials, they are redirected back to my site. This is accomplished through a callback url which can be set for applications on Twitter's site.

Is the problem that your are afraid user's won't come back ?
Well, if they are clicking this link, it's probably because they want to do something on your site, no ? So, they will probably come back !
Maybe you could put an explain next to the link, to explain what it does and how ; that might help them know it's normal to be sent to twitter's authentication page ;-)