Is there a setting in FireFox to allow the parent document access to the DOM of an IFRAME on another domain?

Question

Notice how Firebug can access the DOM of cross domain iframes and even allow you to modify them? I'm wondering if there is an firefox addon extension or a config setting that will allow a page on our intranet to do this.

Longer explanation:

I have a two "kiosks" in our reception area that the public can use. As we're running in kiosk mode (fullscreen, no chrome), I have created a small web application consisting of a menu and an IFRAME. The menu allows users to browse to approved sites and also perform actions like printing. It also gloms onto requests for popup windows and instead overlays them in a modal iframe rather than allowing the browser and OS chrome to be exposed - breaking the "kiosk" experience.

Obviously, this works perfectly on anything internal because it's all on the same domain. It gets trickier when browsing external sites because the XSS protection kicks in and you can't see the DOM inside the IFRAME.

I have also tried using a web-based proxy server on the same domain (PHProxy for example), which works okay, but there are horrible edge cases where it doesn't work - a big one is the CAPTCHA on our website forms. So that's pretty much not an option for me.

---

Basically I think the only solution that will work for me is to modify the browser in some way using a security setting or an addon. Any ideas?

Thanks guys very much for you time and consideration. It is VERY much appreciated.

--Iain

Answer 1

There is a way for unpriviledged JavaScript code (loaded from a web page) to request more privileges in Firefox. This is an old, non standard API that prompts the user for permission and if accepted allows the JavaScript to do things normal JavaScript cannot. One of these things is to bypass Same Origin Policy.

Sample code:

try { 
    // ask user for permission
    netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
  } catch (e) {
    // user refused permission
    alert('Permission "UniversalBrowserRead" was denied.'); 
  }
  //Should now be capable of bypassing same origin policy if user accepted

Since the kiosk browser does not restart (I suppose) very often, the dialog just has to be accepted once. Not sure this is the most elegant solution but might work, at least for now (the API is old and might disappear).

Here is a link for more details: http://www.mozilla.org/projects/security/components/signed-scripts.html#privs-list

While looking for the exact privilege name I found this page about Security Policies in Firefox. This would be a much nicer solution. I have never used it, so I cannot give more info, but here is the link, might be a good place to start looking:

http://www.mozilla.org/projects/security/components/ConfigPolicy.html

Hope this helps!

Answer 2

I found an addon called CrossDomain. The addon hasn't yet been updated for newer versions of Firefox. In the end, I solved this whole problem by writing an HTA and using the internet explorer rendering engine - which made my IT manager happy :). Here is the link to CrossDomain in case this helps someone one day. Thank you everyone for your submissions.

https://addons.mozilla.org/en-US/firefox/addon/13004/