tags:

views:

207

answers:

2
Q: 

JavaScript permissions errors stemming from an IFrame

I have a .jsp that contains an IFrame with a page that has some embedded JavaScript. This JavaScript accesses some DOM elements in the parent page (the one containing the IFrame).

The embedded page is going to be on a seperate sub-domain from the parent page, and I realize that there are some security implications. My impression is that the document.domain of any pages embedded in IFrames must match the document.domain of parent pages for cross-IFrame access to be allowed. The embedded page currently contains the following code to 'broaden' the scope of its security:

document.domain = 'domain.com'; //where domain.com is my domain

It then proceeds to access DOM elements in the parent document.

I am currently testing this, and have modified the hosts file on the Windows machine serving the parent page with the following entry:

127.0.0.1 domain.com

The goal is to trick JavaScript on the parent page into believing that the document in the embedded page is being served from the same domain.

If I then browse to the page on the same machine. Despite the document.domain showing up as 'domain.com' in both my parent and embedded pages as observed through Firebug, I am getting 'Permission denied' errors when attempting to get or set DOM properties from JavaScript running in the embedded page.

Am I missing something? Thanks in advance for any suggestions or comments!

+1  A: 

Even though the "document.domain" properties look the same, from the MSDN documentation is sounds like you still have to explicity set them to be the same:

All the pages on different hosts must have the domain property explicitly set to the same value to communicate successfully with each other. For example, the value of the domain property of a page on the host microsoft.com is "microsoft.com" by default. It might seem logical that if you set the domain property of a page on another host named msdn.microsoft.com to "microsoft.com," that the two pages could communicate with each other. However, this is not the case, unless you explicitly set the domain property of the page on microsoft.com to "microsoft.com."

David  2009-04-29 16:31:01
I believe you are correct. I tried explicitly setting the the document.domain property in the JavaScript code to the same value I have in my hosts file. Once I did this, the errors were resolved.This is very strange, however. I observed the value of the document.domain property before explicitly setting it and after, and the value was unchanged. Yet, somehow this caused everything to work. Perhaps there is something else going on that I am not aware of that is resolved by setting this property in the code.
tehblanx  2009-04-29 17:12:19
The link you posted is very helpful as well! Thank you very much!
tehblanx  2009-04-29 17:17:49
A: 

Hi,

you could put a proxy to redirect requests of <iframe src="http://domain.com/fake/"&gt; to the right place.

It's just an idea...

Regards.

ATorras  2009-04-29 18:20:19

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript