How to prevent JavaScript from executing in an iframe

[seans]

Hi,

Is there some way from preventing the JavaScript code in a document
loaded into an iframe from executing? I don't have access to the pages
being loaded into the i-frame so I can't modify then. They are being
loaded from a server.

thanks again.

sean

 

[Richard Cornford]

Is there some way from preventing the JavaScript code
in a document loaded into an iframe from executing?

Disable javascript in your browser, or configure the browser to ask for
permission to execute each script, and deny it for the scripts in the
frames. If you mean that you want to prevent the execution of these
scripts on other user's browsers then you cannot, it is up to them to
make that decision.

I don't have access to the pages being loaded
into the i-frame so I can't modify then.

Does this mean they are someone else's pages?

They are being loaded from a server.

Now that is a novel idea

Richard.

 

[seans]

Disable javascript in your browser, or configure the browser to ask for
permission to execute each script, and deny it for the scripts in the
frames. If you mean that you want to prevent the execution of these
scripts on other user's browsers then you cannot, it is up to them to
make that decision.


Does this mean they are someone else's pages?


Now that is a novel idea

Richard.

Hi Richard thanks for your reply. Yes they are somebody else's pages so
I can't make any changes to them.

thanks
sean

 

[Jim Davis]

Hi,

Is there some way from preventing the JavaScript code in a document
loaded into an iframe from executing? I don't have access to the pages
being loaded into the i-frame so I can't modify then. They are being
loaded from a server.

I may be misunderstanding your question but I'll give it a shot.

In general there's no simple way, but the matter rests on the source servers
for the material.

If the iFrame source is loaded from a server DIFFERENT from the one from
which the main page source was loaded then the browser security model will
prevent you from accessing the content of that page. There's no way around
this on the client-side (or, at the very least, any way around this is a
MAJOR security flaw).

In short: while you can load content from other servers into your frames and
iFrames you cannot actually "touch" that content at all. It's not yours -
hands off.

If the iFrame source is from the SAME server then you may be able to jury
rig something... but it will be a tenious solution at best. One obvious
option is to use XMLHttpRequest to fetch the source code meant for the
iFrame and maniplate it (strip out the script) before loading it into the
iFrame. This is riddled with problems however...

+) Any links or references in the iFrame will have to be examined: the
iFrame content's context will no longer be the same as if you allowed it to
be served normally. Relative links may (probably will) break. HREFs may
not (probably won't) function any longer.

+) As you've stated you have no control over the iFrame content, there's
nothing to stop it from changing and breaking your code (the likelyhood of
this happening in any so-called "screen scraping" operation is generally
assumed to be 1 in 1). If you're code to remove the offending script is too
specific it will probably break even sooner... if it's to general it will
probably break too much in the target page.

+) It also converts a simple task (changing the href of an iFrame) to a much
more complex one: this ain't never a good ideer.

All told it's really simplest to just consider it un-doable. ;^)

Jim Davis

 

[seans]

I may be misunderstanding your question but I'll give it a shot.

In general there's no simple way, but the matter rests on the source servers
for the material.

If the iFrame source is loaded from a server DIFFERENT from the one from
which the main page source was loaded then the browser security model will
prevent you from accessing the content of that page. There's no way around
this on the client-side (or, at the very least, any way around this is a
MAJOR security flaw).

In short: while you can load content from other servers into your frames and
iFrames you cannot actually "touch" that content at all. It's not yours -
hands off.

If the iFrame source is from the SAME server then you may be able to jury
rig something... but it will be a tenious solution at best. One obvious
option is to use XMLHttpRequest to fetch the source code meant for the
iFrame and maniplate it (strip out the script) before loading it into the
iFrame. This is riddled with problems however...

+) Any links or references in the iFrame will have to be examined: the
iFrame content's context will no longer be the same as if you allowed it to
be served normally. Relative links may (probably will) break. HREFs may
not (probably won't) function any longer.

+) As you've stated you have no control over the iFrame content, there's
nothing to stop it from changing and breaking your code (the likelyhood of
this happening in any so-called "screen scraping" operation is generally
assumed to be 1 in 1). If you're code to remove the offending script is too
specific it will probably break even sooner... if it's to general it will
probably break too much in the target page.

+) It also converts a simple task (changing the href of an iFrame) to a much
more complex one: this ain't never a good ideer.

All told it's really simplest to just consider it un-doable. ;^)

Jim Davis

Hi,

Sorry for the late reply. Thanks for all your responses.

sean