tags:

views:

38

answers:

2
Q: 

Permission issues checking if parent site is my parent domain within iframe

I've read several of the questions on this but am still a little confused. For example: OK, I can't post examples because of hyperlink limitations

Here is my exact situation.

I have a site at mydomain.com One of the pages has an iframe to another page at sub.mydomain.com

I am trying to prepare an onload script that if the page is not in an iframe or the parent domain of the page containing the iframe is not mydomain.com then redirect to mydomain.com.

After the initial permission issues I realised the problem with sub domains counting as separate domains.

One of the posts above says that "could each use either foo.mydomain.com or just mydomain.com"

So I tried (for testing): onload="document.domain='mydomain.com';alert(parent.location.href);"

This produced the error (http replaced with lar

Error: Permission denied for <http://sub.mydomain.net&gt; (document.domain=<http://mydomain.net&gt;) to get property Location.href from <http://mydomain.net&gt; (document.domain has not been set).
Source File: http://sub.mydomain.net/?pageID=1&amp;framed=1
Line: 1

Removing the alert produces no errors.

Maybe I am going about this the wrong way since I do not need to interact with the parent just read its domain if there is one.

A nice simple top.domain. For read only there must be a way so that people can prevent their own pages being used within other people's sites.

A: 

You can't (easily) do this because of security restrictions.

This answer from #2771397 might point you in the right direction.

jnpcl  2010-10-21 22:29:33
The thing is I am not trying to manipulate the parent just tell who the parent is. There must, somewhere, be a mechanism for this. Surely it is a security feature, not a security hole to be able to tell who is embedding your page in their site? You can get the IP address of the browser without a hole.. oh, hang on... could that be a way, would the IP address be that of the parent site?
Bodestone  2010-10-21 22:38:54
Added note: there is a PHP back end so if there is stuff I can do there it would be even better but searching on the web told me there was no way I could find out if the page was in a frame from PHP I would have to resort to javascript.
Bodestone  2010-10-21 22:48:53
JavaScript can be blocked, and having that code on your page just gives more information about your security scheme to those who may be using your pages.
jnpcl  2010-10-21 22:50:14
This would not be ideal since I host the parent domain but am not 100% in control of the application run from it but can a parent domain set a cookie for a sub domain that the sub domain could read and say "yup, that's my daddy". Then I would not have 2 cases (is in frame and if so is it mine) I would just look for the cookie. Trouble there is it would need to auto expire and would it do so before the iframe read it?
Bodestone  2010-10-21 23:25:42
Cookies can't be read cross-domain, either.
jnpcl  2010-10-21 23:29:41
There must be a way to say "if I am not within a frame in mydomain.com".... be it server or client side
Bodestone  2010-10-21 23:40:45
The answer you're looking for doesn't exist. From a browser security perspective, if your site is `http://mysite.com`, then `http://stuff.mysite.com` might as well be `http://stuff.someothersite.com`.. even though it's on the same primary domain, it's not on the -same- domain.
jnpcl  2010-10-21 23:45:37
Server-side is the only method that's going to work for this. Client-side won't work because of security restrictions, and even if we ignore that part, having client-side code means the client can disable it.
jnpcl  2010-10-22 00:02:57
I'll keep looking then. The only reason I was looking for a javascript solution was that all my searching for a server side solution brought back results telling me there was no way in PHP to tell if the page was in a frame or not.
Bodestone  2010-10-22 08:58:16
Is there any information at all about the parent that can be read if the parent is in a different domain?
Bodestone  2010-10-22 15:23:30
No. Security limitation.
jnpcl  2010-10-22 20:37:31
A: 

OK, while looking at the error console I still had open when I got home a wee lightbulb lit up. I am pretty new to javascript (can you tell ;) but I thought "If it has try/catch"...

well here is a hack at least to get the name of the top domain and an example of how I will use it in my site to show content only if the page is a frame in the correct domain.

Firstly the header will have the following partially PHP generated function:

function getParentDomain()
{
  try
  {
    var wibble=top.location.href;
  }
  catch(err)
  {
    if (err.message.indexOf('http://mydomain.com')!=-1)
    {
      createCookie('IAmAWomble','value')
    }
  }
}

Basically the value will be something based on the PHP session I think. This will be executed at page load.

If the page is not within the proper site or if javascript is not enabled then the cookie will not be created. PHP will then attempt to read the correct value from the cookie and show the content or an error message as appropriate.

I do see a slight flaw in this for first visit since page load will run after PHP has generated the content but I'm sure I can work around this somehow. I thought I'd post because this is at least what I was initially asking for and that is a way to read the URL of a parent site if it is in a different domain to the site in the frame.

Bodestone  2010-10-22 18:54:28
Foiled again. Of course as soon as I switched browser the error messages changed becoming a lot more terse down to the IE "Permission denied". Oh well, I suppose I found a loophole for it in firefox at least and for a while my hopes were up and I felt smug. Silly me.
Bodestone  2010-10-22 22:00:21

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript