cross site scripting

A

Andy Fish

Hi,

I have a situation where I want a customer to be able to embed my
functionality within their web site, a bit like a counter but more complex
because my functionality consists of several separate frames.

The idea is that the customer will set up several iframes embedded in their
web site, all pointing to the same server on which I'm hosting the service
(slightly different URLS). When the user clicks on one of my iframes, some
javascript happens which changes the view in all of my iframes (i.e.
navigates them to different URLs).

I found that by including a javascript file in the main window, this can be
called from one of the iframes and can manipulate the other iframes.
However, if the iframe the user clicks in is hosted on a different server
from the one owning the javascript, it cannot execute it. This will clearly
be the case in my scenario. Javascript running in one iframe cannot access a
different separate iframe even if it is on the same server.

I guess this is to prevent XSS attacks. In this case, I don't want to update
anything in the customer's window, but I want to be able to "own" several
iframes and have them talk to each other.

If anyone understands what I'm trying to achieve here, any ideas would be
appreviated. Second best would be a definitive statement that it's
impossible.

Andy
 
I

Ivo

I found that by including a javascript file in the main window, this can be
called from one of the iframes and can manipulate the other iframes.
However, if the iframe the user clicks in is hosted on a different server
from the one owning the javascript, it cannot execute it. This will clearly
be the case in my scenario. Javascript running in one iframe cannot access a
different separate iframe even if it is on the same server.

I guess this is to prevent XSS attacks.
Yes.

In this case, I don't want to update
anything in the customer's window, but I want to be able to "own" several
iframes and have them talk to each other.

If anyone understands what I'm trying to achieve here, any ideas would be
appreviated. Second best would be a definitive statement that it's
impossible.
Click to expand...

It 's impossible. Definitely. All participating frames, framesets, top,
parents, children and what-have-you must be from the same domain. That is
the part between the double slash and first next slash must be the same.
This rule is very scrict, I believe that even
http://www.example.com/
and
http://example.com/
are not able to talk to eachother .
Sorry. Look for ways not utilizing a multitude of iframes, but perhaps
update an image if you want to invoke a serverside process, such as
form.asp.png?client=ABC&item=code1&quantity=2. Another solution that comes
to mind is to create a popup window with script in your user's page that
points to a frameset on your own site so all frames at least in that window
are from the same domain.
Ivo
 
A

Andy Fish

Thanks for the quick reply

I was looking for a way to give the customer more control over how my
functionality was presented on their site.

However, it looks like I will just have to put it all in one box that they
can embed as a single frame or iframe

Andy
 
R

Richard Cornford

Ivo wrote:
It 's impossible. Definitely.
Click to expand...

I agree.
All participating frames, framesets,
top, parents, children and what-have-you must be from the same
domain. That is the part between the double slash and first next
slash must be the same. This rule is very scrict,
I believe that even
http://www.example.com/
and
http://example.com/
are not able to talk to eachother .
Click to expand...
<snip>

That is by default, but those two examples could use the -
document.domain - property to allow them to communicate. But between
http://example.com (and sub domains) and http://notExampe.com (and its
sub domains) communication is out of the question (no workaround and no
exceptions except for serious bugs that can be expected to be rapidly
fixed once identified).

The problem is that the IFRAMEs would be leafs in a tree structure in
which everything towards the root is inaccessible for security reasons,
and any javascript communication would have to be via something towards
the root.

The only common point through which the IFRAMEs could communicate would
be the server that they came from. Which would be a nightmare to
implement and orchestrate and probably dependent on some limited (on the
client) technology like ActiveX or Java.

Richard.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Scripting 2
Is it possible an iframe can overlapp another? 3
Iframe link overlapping text 4
cross-scripting issue: use javascript/DOM on iframe loaded from differentdomain, how? 10
Site Migration Ruined all my CSS?? 8
How to build an ecommerce site using coding 4
How to Design a Cross Network app 0
New here, Javascript password protect site not working on mobile 3

Members online

No members online now.
Total: 28 (members: 0, guests: 28)
Robots: 460

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,055
Latest member
SlimSparkKetoACVReview

Latest Threads

Top