views:

42

answers:

0

here are bunch of codes isolating this problem:

  1. create 3 files on local server:

test.html

<SCRIPT language="JavaScript" SRC="http://localhost/postmsg.js"&gt;&lt;/SCRIPT&gt;
<iframe src="http://127.0.0.1/iframe.htm" id="iframe"></iframe>
<div>Click anywhere on this page to see message from embedded iframe,
which do not need to be on the same domain</div>

iframe.html

<SCRIPT language="JavaScript" SRC="http://127.0.0.1/postmsg.js"&gt;&lt;/SCRIPT&gt;
<div id="message"></div>

postmsg.js

// ==UserScript==
// @include       *
// ==/UserScript==

alert('script loaded')
window.addEventListener('click', 
    function() {
        frame = document.getElementsByTagName("iframe")[0]
        cwindow = frame.contentWindow //here comes the error anything after this line won't execute in greasemonkey
        alert("this won't show in greasemonkey");
        cwindow.postMessage("hello, iframe!","*")
    },
true);

window.addEventListener("message", function(e){
        alert("message from iframe: main window was clicked!  " +e.data);
        document.getElementById('message').textContent += "message from iframe: main window was clicked!\n"
}, true);

this js file can work as standard included file html, then first comments are ignored, but after renaming extension to user.js can be installed in greasemonkey, and then stops working after line when contentWindow is called

notice that even if main and framed html are on the same server for js interpreter these files are on different domains because js interpreter doesn't know that localhost and 127.0.0.1 are identical

I've put "@include *" so you can check it on different websites, and it looks like this error only exists on cross domain iframes. If you go to translate.google.com, which has several iframes, but all ont the same domain, this script works as expected

Question is, what the hell cross domain security checking is doing on greasemonkey ? This contradicts this tool usage. A malicious website cannot install script, user must agree to that. I was stuck for long time on this because firebug wasn't indicating that the properties it is showing on cross domain iframe are actually not available on by the browser's js engine.