Same origin policy in IE !

[Turko]

Hi all.
I m searching for the equivalent of :

try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
} catch (e) {
alert("Permission UniversalXPConnect denied.");
}

(that works for mozilla based browsers) in Internet Explorer.
The code above asks to the user to trust the script, so extends
privileges such as same origin policy.
I have a page on local disk with 2 frames : A is a local page, B is on
a server (for example http://www.google.com). I want A to access B
properties (for example parent.B.location.reload() ); on Firefox it
works perfectly (of course only after the consense of the user i.e me),
but in IE I get a "Permission denied error".


Thanks,
Fabio

 

[VK]

Hi all.
I m searching for the equivalent of :

try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
} catch (e) {
alert("Permission UniversalXPConnect denied.");
}

(that works for mozilla based browsers) in Internet Explorer.
The code above asks to the user to trust the script, so extends
privileges such as same origin policy.
I have a page on local disk with 2 frames : A is a local page, B is on
a server (for example http://www.google.com). I want A to access B
properties (for example parent.B.location.reload() ); on Firefox it
works perfectly (of course only after the consense of the user i.e me),
but in IE I get a "Permission denied error".

I presume that your HTML page with the code for Firefox is properly
signed with a valid authority certificate. Otherwise (unless run from
local drive) it will never ask user for extra privileges. (Three-tiers
schema: properly signed code gets /the privilege to ask for extra
privileges/ and on the next step then the user actually either grants
them or declines the request).

IE doesn't have the concept of signed HTML pages/ JScript programs
whatsoever. You have to write an ActiveX (.ocx file) on say C++/C# and
still properly sign it with a valid authority certificate.

 

[Turko]

Yes, my page runs from local drive.
But, how could I do an authority certificate?

And is it dificult writing an activeX? I m a bit familiar with C
language and Java.

Thx

 

[VK]

Yes, my page runs from local drive.
But, how could I do an authority certificate?

You cannot "do" an authority certificate. You have to buy the
certificate from one of authorities considered as being such by UA's.
Thawte certificates are traditionally the best suited ones for code
signing, Verisign the next (despite Thawte and Verisign are really the
same Verisign company, these are two different certificates).

You also can create a self-signed certificate (be your own authority),
but in such case you'll have to add such certificate on each involved
machine.

All together is very far really from the JavaScript programming. Ask at
<comp.lang.java.security> (Due to the signed applet biz in the past
Java users are the most familiar with boring signing tools/certificates
matters)

And is it dificult writing an activeX?

Not overly difficult. Ask for start at
<microsoft.public.windows.inetexplorer.ie6.browser>

What is your final aim anyway? Maybe it can be arranged in some lesser
complicated way (or cannot be arranged at all no matter what).

 

[Turko]

Thanks for reply.
My aim was understanding how IE and Firefox do the sop security issue.