Spurious security error when accessing pop-up data

[KKramsch]

My code is generating this type of error:

Security Error: Content at http://nonexistent.org/somepage.html
may not load data from about:blank.

The "about:blank" page mentioned in the error message is a pop-up
window, whose content is 100% dynamically-generated, and which is
in fact *owes its existence* to code in the referring page
(nonexistent.org/somepage.html), along the lines of something like

window.open("", "pop-up", "width=450,height=300,resizable");

So, AFAICT, the error is spurious (i.e. there's really no security
breach). Is there any way to inform the browser that "about:blank"
does belong to nonexistent.org?

Thanks!

Karl

 

[Grant Wagner]

My code is generating this type of error:

Security Error: Content at http://nonexistent.org/somepage.html
may not load data from about:blank.

The "about:blank" page mentioned in the error message is a pop-up
window, whose content is 100% dynamically-generated, and which is
in fact *owes its existence* to code in the referring page
(nonexistent.org/somepage.html), along the lines of something like

window.open("", "pop-up", "width=450,height=300,resizable");

So, AFAICT, the error is spurious (i.e. there's really no security
breach). Is there any way to inform the browser that "about:blank"
does belong to nonexistent.org?

Thanks!

Karl

about:blank and any page loaded from your domain are indeed from
completely different domains, and should not be able to modify each
others' content.

Just use:

window.open("blank.htm" ...);

and in blank.htm:

<html>
<head>
<title>blank.htm</title>
</head>
<body onload="if (opener && opener.callBack) opener.callBack();">
</body>
</html>

Now the document in the newly opened window has also originated from
your domain. Also, you now have a way to trigger a script in the opener
once you are sure the new document has completely loaded (and there is
in fact a document object in the new window to be manipulated).

 

[KKramsch]

KKramsch wrote:

about:blank and any page loaded from your domain are indeed from
completely different domains, and should not be able to modify each
others' content.

Just use:

window.open("blank.htm" ...);

and in blank.htm:

<html>
<head>
<title>blank.htm</title>
</head>
<body onload="if (opener && opener.callBack) opener.callBack();">
</body>
</html>

Hi! Thanks! But isn't there a way to do this without requiring
a dummy blank.htm file being physically on the disk?

Karl

 

[KKramsch]

Hi! Thanks! But isn't there a way to do this without requiring
a dummy blank.htm file being physically on the disk?

After my last post it occurred to me that it would be better to
post more code. The code in question belongs to a utilities
JavaScript "module" for use by all my CGI scripts; it includes the
following methods (error occurs in the console() method):

var Console;

function maybe_open_console() {
if (!Console || Console.closed) {
Console = window.open("","console","width=600,height=300,resizable");
}
try {
return Console.document && Console.document.open;
}
catch (ex) { return false; }
}

function console(msg) {
if (maybe_open_console()) {
var d = Console.document;

// The next line of code causes the security error
d.open("text/plain");

d.write(msg);
d.close();
}
}


The console() method is to be used for debugging purposes. It
pops up a window if necessary and writes a message to it. I have
indicated the line in it that causes the error.

Since I want this method to be usable by any CGI script, I'd like
to minimize dependencies on other files (such as a dummmy blank.htm
file somewhere below docroot).

Any suggestions on how to implement this would be much appreciated!

Karl

 

[Grant Wagner]

Hi! Thanks! But isn't there a way to do this without requiring
a dummy blank.htm file being physically on the disk?

<script type="text/javascript">
var Console;
function console(msg) {
var content = '<html>' +
'<head>' +
'<title>Console</title>' +
'</head>' +
'<body>' + '<pre>' +
msg +
'</pre>' + '</body>' +
'</html>';
if (!Console || Console.closed) {
Console = window.open(
"javascript:'" + content + "'",
"console",
"width=600,height=300,resizable"
);
} else {
Console.document.open();
Console.document.write(content);
Console.document.close();
Console.focus();
}
}
</script>
<a href="#" onclick="console('hi there');return false;">Click this first</a>
<br>
<a href="#" onclick="console('already open');return false;">Click this second *before* closing
the console window</a>

Tested and working in: IE6SP1, Netscape 4.78, Firefox 0.9.2 and Mozilla 1.7.1

In Opera 7.52, you get:
Event thread: onclick
Error:
name: ReferenceError
message: Security error: attempted to read protected variable

on the second call to console(). Uncommenting the alert() reveals that Console is "object
inaccessible".

The fact that it works in Firefox and Mozilla tells me that either it's one of the following:
a) an overly zealous security model in Opera b) a bug in Opera c) a bug in the security model
of Gecko and what I'm doing really shouldn't be allowed.

I'm guessing (and hoping) it's a) or b).

It doesn't work at all in Opera 6.05.