cross site scripting

Discussion in 'Javascript' started by Andy Fish, Apr 2, 2004.

  1. Andy Fish

    Andy Fish Guest

    Hi,

    I have a situation where I want a customer to be able to embed my
    functionality within their web site, a bit like a counter but more complex
    because my functionality consists of several separate frames.

    The idea is that the customer will set up several iframes embedded in their
    web site, all pointing to the same server on which I'm hosting the service
    (slightly different URLS). When the user clicks on one of my iframes, some
    javascript happens which changes the view in all of my iframes (i.e.
    navigates them to different URLs).

    I found that by including a javascript file in the main window, this can be
    called from one of the iframes and can manipulate the other iframes.
    However, if the iframe the user clicks in is hosted on a different server
    from the one owning the javascript, it cannot execute it. This will clearly
    be the case in my scenario. Javascript running in one iframe cannot access a
    different separate iframe even if it is on the same server.

    I guess this is to prevent XSS attacks. In this case, I don't want to update
    anything in the customer's window, but I want to be able to "own" several
    iframes and have them talk to each other.

    If anyone understands what I'm trying to achieve here, any ideas would be
    appreviated. Second best would be a definitive statement that it's
    impossible.

    Andy
     
    Andy Fish, Apr 2, 2004
    #1
    1. Advertising

  2. Andy Fish

    Ivo Guest

    "Andy Fish" wrote
    > I found that by including a javascript file in the main window, this can

    be
    > called from one of the iframes and can manipulate the other iframes.
    > However, if the iframe the user clicks in is hosted on a different server
    > from the one owning the javascript, it cannot execute it. This will

    clearly
    > be the case in my scenario. Javascript running in one iframe cannot access

    a
    > different separate iframe even if it is on the same server.
    >
    > I guess this is to prevent XSS attacks.


    Yes.

    > In this case, I don't want to update
    > anything in the customer's window, but I want to be able to "own" several
    > iframes and have them talk to each other.
    >
    > If anyone understands what I'm trying to achieve here, any ideas would be
    > appreviated. Second best would be a definitive statement that it's
    > impossible.


    It 's impossible. Definitely. All participating frames, framesets, top,
    parents, children and what-have-you must be from the same domain. That is
    the part between the double slash and first next slash must be the same.
    This rule is very scrict, I believe that even
    http://www.example.com/
    and
    http://example.com/
    are not able to talk to eachother .
    Sorry. Look for ways not utilizing a multitude of iframes, but perhaps
    update an image if you want to invoke a serverside process, such as
    form.asp.png?client=ABC&item=code1&quantity=2. Another solution that comes
    to mind is to create a popup window with script in your user's page that
    points to a frameset on your own site so all frames at least in that window
    are from the same domain.
    Ivo
     
    Ivo, Apr 2, 2004
    #2
    1. Advertising

  3. Andy Fish

    Andy Fish Guest

    Thanks for the quick reply

    I was looking for a way to give the customer more control over how my
    functionality was presented on their site.

    However, it looks like I will just have to put it all in one box that they
    can embed as a single frame or iframe

    Andy

    "Ivo" <> wrote in message
    news:406d2f9b$0$24454$...
    > "Andy Fish" wrote
    > > I found that by including a javascript file in the main window, this can

    > be
    > > called from one of the iframes and can manipulate the other iframes.
    > > However, if the iframe the user clicks in is hosted on a different

    server
    > > from the one owning the javascript, it cannot execute it. This will

    > clearly
    > > be the case in my scenario. Javascript running in one iframe cannot

    access
    > a
    > > different separate iframe even if it is on the same server.
    > >
    > > I guess this is to prevent XSS attacks.

    >
    > Yes.
    >
    > > In this case, I don't want to update
    > > anything in the customer's window, but I want to be able to "own"

    several
    > > iframes and have them talk to each other.
    > >
    > > If anyone understands what I'm trying to achieve here, any ideas would

    be
    > > appreviated. Second best would be a definitive statement that it's
    > > impossible.

    >
    > It 's impossible. Definitely. All participating frames, framesets, top,
    > parents, children and what-have-you must be from the same domain. That is
    > the part between the double slash and first next slash must be the same.
    > This rule is very scrict, I believe that even
    > http://www.example.com/
    > and
    > http://example.com/
    > are not able to talk to eachother .
    > Sorry. Look for ways not utilizing a multitude of iframes, but perhaps
    > update an image if you want to invoke a serverside process, such as
    > form.asp.png?client=ABC&item=code1&quantity=2. Another solution that comes
    > to mind is to create a popup window with script in your user's page that
    > points to a frameset on your own site so all frames at least in that

    window
    > are from the same domain.
    > Ivo
    >
    >
     
    Andy Fish, Apr 2, 2004
    #3
  4. Ivo wrote:
    <snip>
    > It 's impossible. Definitely.


    I agree.

    > All participating frames, framesets,
    > top, parents, children and what-have-you must be from the same
    > domain. That is the part between the double slash and first next
    > slash must be the same. This rule is very scrict,
    > I believe that even
    > http://www.example.com/
    > and
    > http://example.com/
    > are not able to talk to eachother .

    <snip>

    That is by default, but those two examples could use the -
    document.domain - property to allow them to communicate. But between
    http://example.com (and sub domains) and http://notExampe.com (and its
    sub domains) communication is out of the question (no workaround and no
    exceptions except for serious bugs that can be expected to be rapidly
    fixed once identified).

    The problem is that the IFRAMEs would be leafs in a tree structure in
    which everything towards the root is inaccessible for security reasons,
    and any javascript communication would have to be via something towards
    the root.

    The only common point through which the IFRAMEs could communicate would
    be the server that they came from. Which would be a nightmare to
    implement and orchestrate and probably dependent on some limited (on the
    client) technology like ActiveX or Java.

    Richard.
     
    Richard Cornford, Apr 2, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott M.

    Cross-Site Scripting...

    Scott M., Dec 22, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    3,416
    Steven Cheng[MSFT]
    Dec 24, 2003
  2. Earl Teigrob
    Replies:
    0
    Views:
    554
    Earl Teigrob
    Feb 18, 2004
  3. =?Utf-8?B?QnJhZCBRdWlubg==?=

    Cross site scripting

    =?Utf-8?B?QnJhZCBRdWlubg==?=, Apr 27, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    440
    Brock Allen
    Apr 28, 2005
  4. Replies:
    3
    Views:
    817
  5. Qaurk Noble

    Preventing Cross Site Scripting

    Qaurk Noble, Dec 11, 2003, in forum: Java
    Replies:
    0
    Views:
    417
    Qaurk Noble
    Dec 11, 2003
Loading...

Share This Page