I am trying to figure out a way to have someone auto complete a survey and then press submit. I have figured out have to get the information prefilled. The issue comes in when pressing submit.
I followed this link Link Here However, I get this error SecurityError: Permission denied to access property "document" on cross-origin object
I realized that the page I followed is old and this error is telling me that what I am doing is an attack on the site. However, this is not an attack I am trying to do but instead just press the submit button.
The survery is on LimeSurvey if it helps.
Does anyone have any ideas on either this way or another way of pressing submit on a third party page?
Due to the same-origin-policy this is not allowed and if there was a workaround, it would render the same-origin-policy useless.
The only thing I can think of is using something that controls the browser like the browser testing framework selenium. But that requires installation on the local system.
Related
My website is refreshing randomly by itself with an additional unknown URL parameter ?mn followed by a Hash. Example:
?mn=l4ehjinilk0ids2leotmtyrmttfuq4oqedu.eebubnay47ddfhvd
I really don't know where it comes from. It happened even in Incognito mode.
Website is on Sitecore.
Any ideas?
If the page is loading correctly from the server but then refreshes with additional parameters in your browser, it must be triggered by JavaScript code. It can be caused by your own JavaScript, scripts injected by a third-party snippet, scripts executed by your browser extensions and so on.
Follow the steps below to find what triggers this refresh:
Open Developer Tools in your browser and navigate to the Network tab
Select the Preserve log checkbox
Reload your web page to replicate the issue
Find the request with parameter ?mn= and select it
Go to the Initiator tab, it will show the request call stack or request initiator chain similar to this:
This can help you understand what in your browser triggered the web page refresh.
Thank you.
I finally found out.
It was due to the Zoom application, a Post-attendee URL was set, as soon as a meeting is done, Zoom triggers the default browser and redirects to a website.
In our web app/site, I need to use an iframe or a popup window to validate if the current token is valid and refresh it if no.
So, I create an iframe, and set the property 'src' to the validation link such as "https://<domain_name>/auth?client_id=xxx" which is different to our app domain https://<app_domain>. and the return value will like "https://<domain_name>/code=yyyy"
document.createElement('iframe');
and I added the message handle for the web app/site, like
window.addEventListener("message", this.messageHandler);
in the messageHandler, I will check if the message is from a specified website, and then validate the "code" value, blabla, etc.
But when running in Chrome, I always got the error
"Blocked autofocusing on a element in a cross-origin subframe."
what confused me is:
it always failed when running in the Chrome browser, but it can work fine in Firefox and Edge chromium.
I tried to set iframe.sandbox = "allow-forms allow-scripts allow-same-origin", the problem still existed.
If the validating token failed in iframe or timeout, I will create a popup window to continue validating and refresh the token. But every time, using popup window can always succeed. If it is really a cross-origin issue, why using iframe failed but using popup window succeeded.
I didn't use window.postmessage. because I don't know how to pass the return value of iframe/popup-window to the main page.
I used CORS extension of Chrome or using parameter --disable-web-security when launching Chrome. the problem still existed.
when I created the iframe or popup window. it is very simple, I just set the iframe.src property, there is no element being created.
any help will be much appreciated.
p.s.
I refer to the following doc:
Blocked autofocusing on a form control in a cross-origin subframe
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Support for iframes in web development will only get worse over time as they are a security black hole, browsers are gradually over time locking out features and use of them.
I am assuming you are doing this because you are validating a user on a third party service, validating by watching the response of a third party service website?
Without knowing the service you are using I cannot comment specifically but for anyone looking to do something similar I would highly suggest not doing this:
As mentioned, iframes are constantly having features locked down due to security concerns
An attacker could change the source of the iframe and submit their own iframe to look like it has been correctly validated
It's unlikely that the page you are using as your iframe src is intended for this use, which will come back and bite you when the 3rd party developer changes how their page behaves, which they likely will do without knowing it's going to break your application
I recommend:
Finding a stable API the 3rd party service offers and using that
Finding another service if none exist
Apologies to rain on your parade!
I disagree that iframes are a security risk, rather they can be if not implemented properly.
How to implement them properly should be asked in another question and probably starting with a carefully implemented Content Security Policy as a priority.
I also use iframes within a Chrome extension that has to pass rigorous Google security.
As for the question, I've noticed that error too and I am focusing on an input box when the iframe is loaded and the focus works! I put it down to being a Chrome bug as the warning suggests it has stopped auto focusing when it hasn't.
As for the un-related point about passing the value back to the parent holding the iframe, I can help you with that, but you should ask it in a new question.
Disable some feature of browser setting
Browser Changes
chrome://flags/#cookies-without-same-site-must-be-secure
chrome://flags/#same-site-by-default-cookies
chrome://flags/#enable-removing-all-third-party-cookies
Above URL just paste it and disabled it. Then ok and relaunch the browser.
Then done it.
I want to automatically log in to specific websites, e.g. the groupware webinterface at work. My browser (Chrome on Linux, if that matters) saves passwords for me, but I want a complete auto-login, so that I don't even have to click the "login" button anymore.
I have investigated multiple ways to approach this, but none of them has turned out to be satisfying:
1. Use a Tampermonkey JavaScript which clicks the "login" button on the website
I wrote a custom JavaScript which was supposed to just click the "submit" button once I load the login page. Chrome was supposed to fill in the password fields. The idea sounded pretty straight-forward. However, this is bad for 2 reasons: On the one hand, I cannot use Chrome's saved password. Chrome has a policy that the password field already displays the circles, but the password is not actually filled in and is also not accessible from JavaScript until the user has performed a gesture such as clicking (see this Chromium issue), which kind of defeats the purpose of my JavaScript. I could go around this by saving the password in localStorage additionally (security wouldn't be compromised, as the saved passwords are not encrypted either), but this doesn't feel good. On the other hand, this breaks a (imho) significant security feature of Chrome. It is the same feature mentioned above which prevents XSS attacks from stealing login passwords. Because whenever I load the login page, the password would be filled in and it would log me in.
So what I would rather want is a special (if possible local) page which I can bookmark, but which will (probably) never be known to anyone performing an XSS attack on me.
2. Use a local HTML page which loads the login page, fills out the form and logs me in
This is a simple idea and would accomplish my goal, but of course it doesn't work because of the same-origin policy.
3. Use a script/program
This would theoretically work. I could write a program which downloads the login page, reads the form, submits it and then transfers the cookies (or the login URL, if the form uses GET to submit to the browser. However, this would be a major piece of work, especially for the case where the forms use the POST method (I'd have to transfer cookies to a possibly running instance of Chrome).
Plus, I'd have to somehow tie this program to a local webserver or turn it into an extension so I could access it from within my browser. After all, opening a shell and typing a command is not really easier than clicking a login button.
4. Use cookies
This is not really an approach, but I mention it here for completeness' sake. By default, Chrome removes all cookies when I exit the browser. I can configure it to keep the cookies of specific websites so I don't have to log in again when I restart it. Some websites use only session cookies, though, so closing the last tab already (correctly) removes the cookies and I have to login again. As a result, cookies only solve my problem for a few websites, but not all.
So my question is: Is there an easier way to accomplish automatic log-in without having to circumvent security features or write a large program?
P.S.: I know, this is a lot of effort to get around clicking a single button every now and then :)
I've been working on this particular error for a week now, debugging different social buttons and narrowing it down to Facebook in general: every "Like" button I've implemented (HTML5, xfbml, etc.) triggers the same cross-domain scripting error. Basically, Facebook is triggering this error with every iFrame (like below) upon clicking "like":
Unsafe JavaScript attempt to access frame with URL http://mediacdn.disqus.com/1326940420/build/system/def.html#xdm_e=http%3A%2F%2Fwww.vancitybuzz.com&xdm_c=default4311&xdm_p=1& from frame with URL http://www.facebook.com/plugins/like.php?channel_url=https%3A%2F%2Fs-static.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df31a0247d%26origin%3Dhttp%253A%252F%252Fwww.vancitybuzz.com%252Ff3c0eb7e0c%26relation%3Dparent.parent%26transport%3Dpostmessage&extended_social_context=false&href=http%3A%2F%2Fwww.vancitybuzz.com%2F2012%2F01%2Fchinese-new-year-events-2012-vancouver-richmond-burnaby%2F&layout=box_count&locale=en_US&node_type=link&sdk=joey&send=false&show_faces=false&width=90. Domains, protocols and ports must match.
Why this isn't a duplicate: the issue occurs even in the absence of the twitter button and google+ button. it also occurs in every implementation of the "like" button. the symptoms point to a new issue.
Methods attempted: I've tried multiple "versions" of the Like button all with the same issue. It's even conflicting with DISQUS.
Suspects: Pages that do not have any DISQUS code are functioning normally. This variable (output by DISQUS wordpress plugin) is suspect:
var facebookXdReceiverPath = 'http://www.vancitybuzz.com/wp-content/plugins/disqus-comment-system/xd_receiver.htm';
In addition, javascript output by Facebook is also suspect.
See it yourself: Go to http://www.vancitybuzz.com/2012/01/research-in-motion-ceos-resign/ it's likely to change, though.
The Question
Given the information here, does anyone know of a workaround to force out the cross-domain error? Many thanks.
After multiple people have looked into this, including myself, currently there is no workaround for cross-domain errors because Facebook uses iFrames for communication.
This would also apply to the Google Plus button as it stands today.
However, the future looks bright. Google devs (and likely Facebook, too) have confirmed they are working on a new solution.
In the meantime, some people have reported that using Facebook and other widget plugins seem to alleviate the problem in Wordpress-structured sites. No guarantees.
http://mashable.com/2010/05/07/wordpress-facebook-like-buttons/
The Future: I wouldn't be surprised if websockets (and flash ws fallbacks) are used, but I'll leave that to the platform devs
We have an intra-net website that requires me to enter login information every time and it's annoying.
I want to create some sort of automatic login for this website.
I tried creating a two-frame website, with one page being the login page and the other being my own html. In my html, I wanted to enter values to the textboxes in the other frame but got an "access denied" js error.
Any other idea?
(I know I can record a Macro, but unfortunately, can't install any third-party applications in the inner-network. I could also have used Robo-Form...).
Oh yeah, and it has to work on the worst browser ever, Internet Explorer 6...
Maybe local html file with form that mimic login form and with autosubmit (like onload="form1.submit();"?). Than you can run this file and it will autosubmitted and redirects you where you want to go (form's action).
A greasemonkey script might work.