I've been working on a requirement that involves a website fetching/manipulating data stored on a different domain. There didn't seem a way except for enabling CORS on the other server to allow me to get and modify data from a different domain. However, that caused some issues with Office 365 apps and I had to take a different approach.
The approach is to use postMessage to talk to a hidden iframe (not a good approach, but I was insisted to use it) on the page that is running on the target domain. The source page posts message along with information about the REST call to the hidden iframe which makes a requests on behalf of the parent page and uses postMessage to return back the results.
Everything works fine except for when the website is being used on an iPhone. Turned out placing alert calls in the script running inside the target iframe makes it to work but removing the alert calls sort of disables the target iframe from making those cross-origin network calls.
My theory is that it is due to the security of mobile Safari that in order to make cross-origin calls from an iframe running on a different domain, the user needs to provide their consent by interacting at least once with the embedded iframe. Does that sound correct?
The comment by diodeus-james-macfarlane is the closest that we could go but the iframe being hidden, there was no way we could have placed a control for the user to interact with, even if that was only for it to work.
To my surprise, turning off a setting on the SharePoint site made it work. The setting was around mobile view compatibility and without that, the iframe is able to make HTTP requests, send and receive messages to and from the parent webpage.
I have a blog on tumblr, and I am trying out the website with SSL. Now with Chrome and possibly other browsers, any images and scripts that are not loaded using HTTPS are automatically blocked, and I lose the happy little green lock icon in the address bar. I am able to edit the HTML of the theme, however there are too many external scripts that are used to load images (and other scripts) to be able to weed out and fix every HTTP request. Obviously, I don't have access to the web server settings for tumblr.com or I could have easily configured HTTPS redirects or something.
I was wondering if there would be any way to prevent the HTML and other included scripts from making HTTP requests through the use of javascript. The website appears and functions just fine without the blocked elements, and I just want the lock icon to show my visitors that it's a safe website.
I have no intention of advertising my blog here, as I'm sure it is against the user policy on this forum. That being said, if it is helpful for troubleshooting reasons, I can post the link if requested.
I have a flash game from another website iframed on my site.
I want to prevent users for leaving my site when clicking a banner inside the flash game that redirect to another website.
I tried the sanbox thing but didnt work.
is this possible since the iframed content is a flash game?
Since the iframe is cross domain there isn't really anything you can do unless you have access to that server. Check out CORS(Cross Origin Resource Sharing), but I think even that will only get you as far as XHR requests go. It still wouldn't allow your scripts to access the contents of the iframe unless it is hosted on the same domain.
How can I stop loading a web page if it uses a frame-buster buster as mentioned in this question, or an even stronger X-Frame-Options: deny like stackoverflow.com? I am creating a web application that has the functionality of loading external web pages into an <iframe> via javascript, but if the user accidentally steps on to websites like google.com or stackoverflow.com, which have a function to bust a frame-buster, I just want to quit loading. In stackoverflow.com, it shows a pop up message asking to disable the frame and proceed, but I would rather stop loading the page. In google, it removes the frame without asking. I have absolutely no intent of click jacking, and at the moment, I only use this application by myself. It is inconvinient that every time I step on to such sites, the frames are broken. I just do not need to continue loading these pages.
Edit
Seeing the answers so far, it seems that I can't detect this before loading. Then, is it possible to load the page in a different tab, and then see if it does not have the frame-buster buster, and then if it doesn't, then load that into the <iframe> within the original tab?
Edit 2
I can also acheive the header or the webpage as an html string through the script language (Ruby) that I am using. So I think I indeed do have access to the information before loading it into an <iframe>.
There's no way to detect this before loading the page since the frame busting is done via a header or is triggered via JavaScript as the page is loading.
Without a server backend you won't be able to as you are pretty limited with the amount of tinkering you can do in javascript due to crossdomain policies.
You might want to consider creating some sort of a blacklist for URLs to stay away from...
I have a page that is viewed secured with 'https' in the URL, that also contains youtube urls to play video from youtube. Since the youtube URL contains 'http' with no 's' IE is giving an a warning dialog of "This page contains both secure and non-secure Items."
Is there a way I can workaround this in Javascript? Maybe after the page loads generate the youtube player HTML with a function? The url will still have to begin with 'http://'
EDIT: Thanks everyone for the input so far! I know this sounds impossible. I'd be happy if there was some conditional comment or something so I can tell IE to suppress this dialog box. It confuses our customer since most of the world is in IE, FF has much better behavior in that it tells you if you click the broken lock, but not an annoying popoup. This is like a new version of "your program has performed an illegal operation." (user hides from police) I am embedding youtube video onto the page where the src is from youtube. I am using their player, as it is hosted by them. No way out of this that I see.
I guess my fix is to only apply HTTPS to the very sensitive pages (password change, login) and come out of it in all others so youtube videos don't give this popup. I am in PHP and am worried the SESSION will get clobbered if I do this but I guess it is the only way around and will wait to tackle that bear monday.
One thing I've done to work around this problem is to create a page on my SSL site that proxies in the 3rd party resource. That way the client only sees SSL URLs.
For example, you flash player could point to the URL "https://YourSite.com/proxy.aspx?URL=http://www.youtube.com/video.swf". When "proxy.aspx" is called, it would make a new web request to the URL in the query string and return the data to the client.
If you do this you need to validate the proxied URL or use some kind ID so that the URL can not be changed since you are convincing the browser that this content is trusted.
I've worked around this problem on all browsers using the following:
1) Create a thumbnail image of the start of the video with the "Play image" tag on the snapshot and host the image on your own https server. Embed the thumbnail where you want the video to be.
2) When the user clicks on the image invoke a Javascript onclick handler to create a new window with the href of the http embedded youtube video.
function onImgClickHandler() {
//Link to embedded Viddler or Youtube video
var win = window.open("http://www.viddler.com/player/###/", "My Video",
'height=500,width=800,resizable=yes,scrollbars=yes');
win.focus();
}
3) The video will now appear in a popup of the main page.
I usually use videos as tutorials for my site, so having the video in a popup browser window works well because it can be viewed alongside the main content and lets the user follow along with the site. The browsers do not even give a redirect warning that you are invoking an http popup from an https site, so your users will not see any "scary" non-secure item warnings on any browsers.
Hope this helps, I have an example of the above on the landing page of my site: https://drchrono.com/
UPDATE: I made the image preview by taking a screenshot of the playing video.
According to this quite recent YouTube API blog post, embedded YouTube videos already support access via HTTPS. If this is the case, (and I haven't tested it, but equally I have no reason to not believe them), then you should just be able to stick the "s" into your embed URL and it will work just fine.
If there was a way around it would be a security flaw in IE and Microsoft would patch it, so I don't think you're going to get away with mixed content and no warning.
The only alternative is to host the FLVs yourself. There are a number of good SWF based FLV players available.
Having insecure links on a secure web page is an issue that has little workaround. One option is to exclude specific content on your page when a user connects via https. In this way a non-secure page load would display the content and a secure page load would not display the content:
<% if (!Request.IsSecureConnection){ %>
<div>You can't see this if the page is secure<div>
<%} %>
I have used this method with much success... Hope this helps.
I have had this same problem and found a solution.
It works without having to turn of SSL certification.
Step by step guide to fix Google chrome
You can view the fixed page listed below. It has links to YouTube,Flickr and many other websites. It is secure and has been for a few months now. Hope it helps you too.
The mod_rewrite module of the Apache httpd server can be used to embed YouTube videos on SSL secure pages without any errors, as detailed on Adam Mershon's blog.
It involves setting up a rewrite rule to redirect a path within the SSL domain to non-SSL YouTube:
.htaccess
RewriteEngine on
RewriteBase /
RewriteRule ^youtube/(.*)$ http://www.youtube.com/$1 [L]
So that inside your HTML you can embed YouTube link URLs appearing to be from your own domain, such as:
<embed src="https://www.yourdomain.com/youtube/v/mydjFYoD4WS&hl=en_US&fs=1&rel=0&autoplay=1&"
type="application/x-shockwave-flash"
allowscriptaccess="always"
allowfullscreen="true"
width="560"
height="340">
</embed>
Using Javascript to replace the URL does not work. IE7 intercepts the content, and thereafter, the warning.
I tried using (jQuery) $(function() { }); it sortof works. You can click yes/no to the dialog, the content will load nonetheless.
This is a severe problem in my world. It earns my work comments from users like "It's not user-friendly", "It's broken" or "It killed my kitten".
The proxy solution probably is the only pseudo-fix that's gonna roll. Just that it's clearly not a perfect solution either.
I try to navigate this a bit better by running as much of my sites on https as I can. Obviously the youtube case isn't fixed by that.
IE, what a silly hunk of FUD-pushing abominationware. I hope IE9 really is as vastly better as it seems. Just, not supporting XP means, well, it's sort of like it was never released. As the n00biest of users, will unwittingly write-protect the status quo until the XP-powered Chineese Skynet of 2247 finally feeds us the red pill...
Your problem occurs become the main page is grabbed using Https whilst one or more included files ( images, javascript, css etc ) is fetched using http. Fix the http url to be https.