tags:

views:

1105

answers:

7
+1  Q: 

Why can't an iframe set its parent's location.hash?

I have a window containing an iframe, containing an iframe, like so:

+---------------+
|      Top      |
| +-----------+ |
| |   Middle  | |
| | +-------+ | |
| | | Inner | | |
| | +-------+ | |
| +-----------+ |
+---------------+

Top and Middle are on the same domain, but Inner is on a different domain. I need Inner to communicate with Top. The only way I know of to do this which is supported in IE7 (which I need to support) is to change the hash of the window's location. However, I don't want the information to be flickering in the location bar, so I've introduced the Middle iframe.

I want Inner to change Middle's hash. Middle will read its hash and inform Top, whom it has permission to speak to directly.

However, in Firefox 3, I've been unable to write to Middle's hash from Inner. No error is raised, but the hash appears unchanged. Writing to its location.href raises a permissions error.

Top can write to Middle's hash, however, and Middle can write to Inner's hash, and Top can write to Inner's hash, and Inner and Middle can both write to Top's hash, so the only ordered pair that doesn't work is the one I want! (I've been working on this for a while.)

I've reproduced this in a minimal test case. At first, I served all three pages from the same domain. When I put Inner on a different domain, I get the problematic behavior. When I put Middle on the second domain, everyone can write to everyone again.

Why can't Inner write to Middle's hash?

Addendum: Many people have suggested that this shouldn't be possible because of the same-origin policy. This is exactly the policy I am trying to get around. This exact case--setting (but not reading) another window's location--is supposed to be possible across domains. I haven't found browser documentation to this effect, but I have found many articles and demos. This is essentially the precursor to HTML 5's postMessage().

Ref: http://softwareas.com/cross-domain-communication-with-iframes

+1  A: 

Is it only hash, or is it the whole of document.location, that exhibits this behaviour? That might help you narrow down what the cause of the issue is.

Additionally, how different are the domains that Top and Inner are served from? Could you solve this problem using document.domain widening?

DDaviesBrackett  2009-06-15 23:59:08
A: 

Are all the frames containing locations with the same origin? (eg. same protocol, same domain, same port). If they're not it's a potential security vulnerability if one frame can modify the other -- google the same origin policy. But without more details it's difficult to provide a better answer.

olliej  2009-06-16 01:13:14
That's in the question: Top and Middle have the same origin; Inner has a different origin. Setting the location is supposed to be a (safe, and I assume intentional) gap in the same-origin policy. See the question's addendum.
Peeja  2009-06-16 12:52:50
+1  A: 

To be able to set the location.hash you must first get the location. The same origin policy forbids you from getting the location.

David Dorward  2009-06-16 06:31:53
The same origin policy doesn't actually prevent you from getting the Location object, only its properties. You should still be able to set them; see the link in the question's addendum.
Peeja  2009-06-16 12:50:26
A: 

I can't answer the why bit for the hash, but have you seen John Resig's work with postMessage? You're having trouble with FF3, FF3 happens to be one of the browsers that support postMessage, bingo :-)

Failing that, there's the xssinterface library. Seems to be stable, but I haven't personally tried it.

Dan F  2009-06-16 13:26:00
A: 

As Alex said it is a security issue. You can't access Top layer if Inner is on a different domain. This is made to avoid Cross-site Scripting.

Rui Carneiro  2009-08-10 09:58:48
See the question's addendum. Writing to the location is supposed to be allowable, regardless of domains.
Peeja  2009-08-12 01:16:21
A: 

Hi Peeja,

Did you find the answer? I am having similar issues.

Thanks in advance, Jayesh

 2009-09-09 10:54:15
Nope. EricLaw claims it's a known issue with a bug in bugzilla, though he didn't leave a URL. Also, welcome to Stack Overflow, Jayesh! BTW, for future reference, a comment like this would be better suited to the comments section in the question, rather than as an answer.
Peeja  2009-09-11 12:05:53
A: 

Sounds like this is a bug in Firefox, filed in Bugzilla, according to EricLaw.

Peeja  2009-11-15 06:00:52

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript