tags:

views:

194

answers:

2
+3  Q: 

Iframe permission denied error when developing locally: what are my options?

Here's what's going on:

I have an application A hosted on a.mycompany.com and an application B hosted on b.mycompany.com

Application A contains an iframe containing a page contained in the application B.

<!-- In A's index.html: -->
<iframe src="http://b.mycompany.com/something.html" >

I need to have either the parent talk to the iframe or the iframe talk to the parent.

It works fine when it's on the server, but when I'm developping locally I have two different servers running on different ports so I have to access them via:

http://a.mycompanydev.com:1234
http://b.mycompanydev.com:5678

And this leads to a security error since you can't communicate using JS with an iframe from a different domain/subdomain or using a different port.

What can I do??

Related serverfault question: http://serverfault.com/questions/148171/how-to-map-localhost8080-to-simply-localhost

+2  A: 

You can use fragment id messaging, which is a hack that uses window.location.hash (the part of the URL following #) to communicate. This test page has an example. There are also libraries such as Dojo that facilitate this.

If you only need to support recent browsers, you can use postMessage.

Matthew Flaschen  2010-06-04 12:22:58
Thanks for the answer! Could you elaborate a bit on what this is or how to accomplish that?
marcgg  2010-06-04 12:24:13
Here is the idea - Code in one window/iframe can write (but not read) the location of every other iframe on the page, even it belongs to another domain. So, iframe A will modify the url of iframe B by adding some content after the # (fragment identifier). Iframe B on the other hand will continuously monitor its url to identify the message. I believe there are libraries that insulate you from the gory details, you would just have to google it up.
sri  2010-06-04 12:35:34
If this is to be applied then you should go for a ready cooked solution like easyXDM. Its far beyond what Dojo (and any other library) has. But I would personally go with the proxy in this case, its not difficult and could be provided via a simple script.
Sean Kinsey  2010-06-04 13:58:34
+2  A: 

In addition to the postMessage and location hash that Matthew mentions above, you may want to consider using a proxy server running locally. The proxy server will listen on port 80 and forward to the appropriate target port based on the domain name specified in the http request. Then you just access your website normally on port 80 and things should work properly.

sri  2010-06-04 12:41:29
The proxy idea is good but it would require everyone on the team to set up this proxy and this wouldn't be acceptable...
marcgg  2010-06-04 12:48:46

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security