Re: Cross domain iframe access

On May 22, 1:20 am, "Richard Cornford" <Rich...@xxxxxxxxxxxxxxxxxxx>
wrote:
A demonstration might be the following minimal HTML page. If reading the
value of the - location - property of an IFRAME that contained a page
from an different domain neither of the two alerts in the following code
would be shown. But in reality both are shown when the browser is IE,
Firefox or Opera (and very probably all others).

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";>
<html>
<head>
<title></title>
<script type="text/javascript">
window.onload = function(){
alert(
'frames["test"].location.dummy = '+
frames["test"].location.dummy
); // Expect "undefined".

alert(
'typeof frames["test"].location = '+
(typeof frames["test"].location)
);// Expect "object" (but possibly "function").};

</script>
</head>
<body>
<iframe src="http://www.google.com/"; id="test" name="test"></iframe>
</body>
</html>

It is because for two reasons:
1) applicable to Netscape and IE at the time if the events, it was an
emergency security patch to do it anyhow but bulletproof yet quickly.
2) at that time the idea of handled exceptions was in its very
babyhood and "throw" even for programmers was first associated with
stones or money :-) rather than with some programming matters. While
for Java it could have some small sense, throwing any kind of
exceptions in an environment that didn't implement any mechanics for
them would be silly.

So instead a brute force interceptor was planted into property
resolution chain:

on PROPERTY_GET request reaching "location" point the real value is
thrown away and set to undefined (later many producers decided what it
is cleaner to set it to null instead, so this is what you get in say
Gecko builds).

on PROPERTY_SET request reaching "location" point the value to set is
thrown away but PROPERTY_SET_OK reported back. A bit confusing but has
sense as one doesn't break code execution unless it is indeed
necessary to break the code execution. This way one can set any
properties to window.location and the program will keep working as
long as she doesn't try to read them back.

The younger generation of browsers simply emulates this behavior
because it is like DOM 0 - survival compatibility minimum first,
anything else after.
.

Relevant Pages

  • Re: Word 2004 request: get rid of the "Do you want to revert the saved..." window
    ... Sure, toss a window that says, ... potential for more lost time and lost work. ... If you ever put up an alert message of any sort, ... like this is usually a cinch that all programmers are familiar with. ...
    (microsoft.public.mac.office.word)
  • Re: method execution problem
    ... > In the Parent.html page there is a iframe. ... > parentMethod is in the Main.js file and the js file is included in the ... > if I uncomment the alert statement in the parentMethod, method executes ...
    (microsoft.public.scripting.jscript)
  • Re: General DHTML question about ID
    ... alert -> ... so what i want to say is, i can only set the src property of an iframe ... without even the implied warranty of merchantability ...
    (microsoft.public.scripting.jscript)
  • addEventListener to IFRAME
    ... How to execute a function on 'load' of iframe.. ... alert the title of loaded document.... ...
    (comp.lang.javascript)
  • IFrame.onload, IE and Remote Scripting
    ... in the game and XMLHttpRequest was already out there by the time I got ... handler in their server response)...and there I am creating the iframe ... I then load cross-domain requests by setting the src attribute of the ... In opera and FF, I get my little alert box, so I'm good to go ...
    (comp.lang.javascript)
Loading