tags:

views:

1881

answers:

2
+1  Q: 

Suppressing "permission denied" errors in Javascript

Hi

I have a JS function that polls for the current url in an iframe, the purpose being to ascertain whether or not the iframe is pointing to the same site as the main document. As such, the code is basically:

function urlCheck()
{
  var location = document.getElementById('frameid').contentWindow.location.href;
  if (location)
  {
    // iframe src is currently local
  }
  else
  {
    // iframe src is currently not local
  }
}

Functionally, this code works perfectly. However, in the error console, every time this function is called and the iframe src is not local I get an error:

Permission denied for [site1] to get property Location.href from [site 2]

How can I fix my code to avoid these errors?

Thanks, Mala

+3  A: 

Wrapping your code in a try-catch block should be able to catch and deal with these errors.

DanSingerman  2009-08-18 07:09:25
Thank you. I had no idea JS supported the try-catch methodology. The link was very helpful and my function now works error free :)
Mala  2009-08-18 07:18:38
A: 

Actually, the error message is the info you want: As soon as the URL of the iframe points to a different domain, you get permission errors. This is a safety measure to avoid XSS attacks.

[EDIT] This means you can replace the code above with:

function urlCheck()
{
  try
  {
    document.getElementById('frameid').contentWindow.location.href;

    // iframe src is currently local
  }
  catch (Exception e)
  {
    // iframe src is currently not local
  }
}
Aaron Digulla  2009-08-18 07:19:36
Can catching the error actually expose you to an XSS attack though? He's not actually changing permissions, just sanitizing what the user sees.
DanSingerman  2009-08-18 07:23:34
Aaron: thank you for making sure I'm being careful. Actually, I don't really need the error message. Basically my code now says "set var location = false; try to set location to url of iframe; if (location) {do stuff}". As such, I'm pretty sure I'm safe. DanSingerman is correct - I just hate it when sites bog down my error console with errors (makes debugging my JS while surfing other sites a pain in the R-se =P) so I'm trying to avoid doing that to other people.
Mala  2009-08-18 07:41:11
@DanSingerman: Of course not. See my edits.
Aaron Digulla  2009-08-18 07:53:26

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript