P
Phlip
Javascripters:
When I hit the following in IE, it puts up an error message "Cannot find
file ...bad%20url... Make sure the path" is correct etc. When I hit it in
Firefox I get no error. (Ironic because Firebug is installed...):
<iframe src='bad url' onerror='alert("yo");' />
What I _want_ to happen is my onerror event fires. I naturally intend to
upgrade the alert("yo"); part into something more germane and
application-specific.
Some documentation out there says IFRAMEs have onerrors and some don't say
they do...
Okay, let's kick this up a notch:
<script src="http://.../prototype.js" type="text/javascript"></script>
<iframe id='fry_me' onerror='alert("yo");' />
<script>
$('fry_me').src = 'bad url';
<script>
Now neither IE nor Firefox produce any error message of any kind. If either
had thrown an error, I could naturally 'try' to 'catch' it in the
Javascript.
Taking out the onerror, and adding a try/catch, also don't work.
Ordinarily, the answer to one of these IFRAME attack questions is to upgrade
the source the IFRAME calls. And of course I can't do that because the error
happens before the IFRAME has a page to evaluate.
I need the IFRAME to respond to URLs which the user supplies, so I need a
healthy and application-specific error path if the URL is wrong. Not the
default irritation -- or the absense thereof!
So how to beat healthy error information out of an IFRAME's src attribute?
When I hit the following in IE, it puts up an error message "Cannot find
file ...bad%20url... Make sure the path" is correct etc. When I hit it in
Firefox I get no error. (Ironic because Firebug is installed...):
<iframe src='bad url' onerror='alert("yo");' />
What I _want_ to happen is my onerror event fires. I naturally intend to
upgrade the alert("yo"); part into something more germane and
application-specific.
Some documentation out there says IFRAMEs have onerrors and some don't say
they do...
Okay, let's kick this up a notch:
<script src="http://.../prototype.js" type="text/javascript"></script>
<iframe id='fry_me' onerror='alert("yo");' />
<script>
$('fry_me').src = 'bad url';
<script>
Now neither IE nor Firefox produce any error message of any kind. If either
had thrown an error, I could naturally 'try' to 'catch' it in the
Javascript.
Taking out the onerror, and adding a try/catch, also don't work.
Ordinarily, the answer to one of these IFRAME attack questions is to upgrade
the source the IFRAME calls. And of course I can't do that because the error
happens before the IFRAME has a page to evaluate.
I need the IFRAME to respond to URLs which the user supplies, so I need a
healthy and application-specific error path if the URL is wrong. Not the
default irritation -- or the absense thereof!
So how to beat healthy error information out of an IFRAME's src attribute?