This is a weird one. I am attempting the following.
I have a local HTML and JavaScript file which generates a random Wikipedia page. When I get the URL for the random Wikipedia page I want to send it to the printer. However, both Chrome and Firefox seem to have a real problem with this.
In Chrome I get an error:
Unsafe JavaScript attempt to access frame with URL https://secure.wikimedia.org/wikipedia/en/w/index.php?title=Popran_National%20Park&printable=yes from frame with URL my local
file. Domains, protocols and ports must match. </br>
gol.js:99Uncaught TypeError: Object [object DOMWindow] has no method 'print'
In Firefox:
Permission denied to access property 'print' </br>
[Break On This Error] </br>
infoWindow.print();
Do you think this could be a because I am running things locally?
My code for spawning the new window is:
var printURL = "https://secure.wikimedia.org/wikipedia/en/w/index.php?"
infoWindow = window.open(printURL,'wiki');
setTimeout ( "printWin()", 2000 );
where printWin() is:
function printWin(){
infoWindow.print();
infoWindow.close();
}
It's the security policy stuff that you are running into. Read this and this.
What you need to do is run the GET request for the Wiki page through a server. So the server acts as a proxy. The browser will allow this because, from it's perspective, the content is from the same origin as your hosting page.
You might get broken links still. You might have to come up with way to proxy all of that as well -- or rewrite the HTML. If you do that, now you are getting into the land of copyright and I'm not sure what's what when it comes to all that.
Are you allowed to proxy Wikipedia content through a server, thereby masking its origin? Maybe you are as long as you don't change the content. But if you adjust the HTML to make it look like it was meant to look, then are you being a bad boy or a good boy? I have no idea whatsoever on this.
I think I answered your technical question though.
Related
I need to set the value attribute of several elements in the document of an iframe. I am able to easily do this from Chrome Tools Console. But the same commands do NOT work from a JavaScript injected into the page by Keyboard Maestro or AppleScript.
The iframe is generated by a Chrome extension: Evernote Web Clipper.
In the below examples, I have already invoked the Evernote Web Clipper.
This script/commands work from Chrome Console, after I have selected the iframe document:
var remElem = document.getElementById("comments");
remElem.value = "KM This is a test";
var titleElem = document.getElementById("title")
titleElem.value = 'KMTEST title'
I suspect that I first need to get or select the iframe document before I run the above script. How do I do this?
I have tried many different SO solutions, and none of them work.
Here is a screenshot of the main document in Chrome Tools:
Screenshot of iframe document in Chrome Tools:
Here is what I have tried, unsuccessfully:
// *** NONE of These Work ***
//--- Method 1 ---
var frame = window.frames[‘frame1’];
var documentObj = frame.document;
var element = documentObj.getElementsByName(‘frame1Text’);
//--- Method 2 ---
var frame = document.getElementById(‘myframe1’);
var documentObj = frame.contentWindow.document;
var element = documentObj.getElementById(‘frame1Text’);
//--- Method 3 ---
window.frames[1].document.getElementById('someElementId')
For example, from Chrome Tools, when I have the main document selected:
//--- From Chrome Tools with Main document selected ---
enFrm = document.getElementById("evernoteGlobalTools")
/*RESULTS
<iframe id="evernoteGlobalTools" src="chrome-extension://pioclpoplcdbaefihamjohnefbikjilc/content/global_tools/global_tools.html" class="evernoteClipperVisible" style="height: 528px !important;"></iframe>
*/
oDoc = enFrm.contentWindow.document;
/* ERROR
VM882:1 Uncaught DOMException: Blocked a frame with origin "http://forum.latenightsw.com" from accessing a cross-origin frame.
at <anonymous>:1:27
(anonymous) # VM882:1
*/
oDoc = enFrm.contentWindow.document;
/* ERROR
VM892:1 Uncaught DOMException: Blocked a frame with origin "http://forum.latenightsw.com" from accessing a cross-origin frame.
at <anonymous>:1:27
*/
Any/All suggestions/ideas gratefully accepted.
The error you are facing:
Uncaught DOMException: Blocked a frame with origin "http://forum.latenightsw.com" from accessing a cross-origin frame.
clearly states that your code has been blocked due to a Cross-Origin Resource Sharing restriction (A.K.A. Content Security policy or evn CORS).
Your domain forum.latenightsw.com is quite rightly considered not the same when compared to chrome-extension://pioc…
(main page versus extension's injected IFrame's domain …). Accessing the IFrame's DOM in such a situation would be a HUGE security flaw.
I fear there is no realistic solution that would let you run this code from the main page Javascript context.
If you were in control of the chrome extension, you could try adding your domain as a host permission in the manifest file (If this was really relevant). (More details on Google Chrome documentation).
I'm not sure window.postMessage would help you here.
If you have static code to execute you could create a Bookmarklet containing the code, then ask your visitors to add it to their bookmarks (bar) and click it to execute changes. But this is not a realistic solution and won't probably fit your need.
EDIT
In response to «Please help me understand why that is any more of a security issue» comment.
Browsers sandboxes code in contexts, each context has its own set of security restrictions and some of them are at risk (mostly) regarding XSS attacks.
WEB page is the most exposed context to attacks, any browser will execute the code it contains after fetching its URL. This is the ideal target for attacks (such as XSS) because the more people visit an affected website the more people pay the costs. This is why restriction such as Cross-Origin Resource Sharing exist which prevent different frames (with different domains) to access each other documents by default.
There are factors that ease attacks, for instance: identified security flaws in open source outdated CMS consisting in not correct escaping of content coming from the database letting tags appear in the page source (which is then executed by browsers…), etc.
In the "Extension" context, some APIs require the developer to explicitly ask for permissions in the extension's manifest file. Interactions with the current page (active tab) is granted if the ActiveTab permission has been declared. Once you install an extension, you give access to APIs the extension has requested for.
The developer console context is a particular case. What is executed their ONLY COMES FROM YOU AND WILL ONLY AFFECT YOUR EXPERIENCE.
One can guess that risks are quite limited there compared to code in websites source (where there may have injected malicious code using XSS attacks).
In other words, only the code you enter in the console will be exectuted there and no code from a WEB page will gain access to the console context.
You may have experienced browsers warning you about risks when you past code to execute in the console, telling you to do so if and only if you understand what the code will do or at least if you absolutely trust the author/origin of the snippet.
A (not so) fictional scenario: Access Iframe content from main page.
Let say we have a web page containing malicious script. This script could try to identify installed extensions by periodically scanning DOM nodes and look for specific extensions injected content, and ultimately access that content.
All this reminds me an interesting article for developers.
This is really, really weird. I developed a site offline using Apache / Strawberry Perl / Firefox. It displays data in object tags as expected, calling data from external sites.
Upload the code to server, and it will display objects where the code is on the same site ... but refuses to "pull" in data from other domains, (which I own)
If you try "http://demo.coadmem.com/members" and click on a circle on the left, a product listing appears, (served from same domain) but the ones from "cbwizard.cristofayre.com" and "cristoafayre.com/poppa" on same page refuse to appear. Yet when I set up a test using YouTube, it loads OK.
I asked the host if there was some sort of "block" that stopped the objects from loading external site, and of course their response was "we can see no problems reported in the error logs".
Also, at "http://coadmem.com/admin", there is another object at the top - which works fine offline, but from server displays a white empty "about" bar!!.
Here are two of the codes I'm using: (the cb-wizard one uses a bit of javascript to select a random keyword; too much to add here, so please view source code. Anyone see a glaring error as to why it won't work online?
<object data="http://www.cristofayre.com/cgi-bin/poppa/banner_ad.pl?u=1:aa00" width=480 height=90></object>
<object style="position:fixed;top:0px;width:100%;height:20px;" width="100%" height="20px" data="http://www.cristofayre.com/cgi-bin/admin_ad.pl?t=w"></object>
I know the scripts work, 'cos if you type the data line into a browser, the correct HTML is displayed; it just refuses to appear when on the server!
I'm wondering if there is some sort of "list" that the host might be applying that allows the majors such as Google / Youtube to be loaded into iframes / objects, but disallows 'minor' sites. (The suport team didn't seem to know anything about such a list)
** I also wondered if the "same-origin" policy is coming into play, but surely it shouldn't as that defeats the whole point of using iframes and objects in the first place.
I was "sort of" right. It wasn't that certain URL's were being blocked, rather that the frames were set up ONLY to show data that originated from the same domain as the browser was set too, (don't ask me how the YouTube iframe circumvented this rule, but there you go!)
As you can see from the above comments, the solution was to create a .htaccess file and use the command "Header always unset X-Frame-Options" which in simple terms (that I can follow) is saying "Whatever the header for the X-Frame-Option is set to, ignore it! and display the data anyway"
Perhaps this might help someone in a similar dilemma. It was certainly baffling as to why the ActiveState / Strawberry Perl version worked OFFLINE, but not online.
I am trying to use PIXI to create an image-based sprite, thus:
var s = new PIXI.Sprite(PIXI.Texture.fromImage("bunny.png"))
My server can only locate the correct image file if the request for "bunny.png" arrives with a session cookie. Unfortunately, no cookies are sent (which is evident from server side debugging, and clearly evident in Chrome's developer console).
If I add a simple img tag in the html, I observe (in Chrome's developer console) that cookies are sent and the image is returned without any trouble:
<img src="bunny.png">
I am using PIXI 3.0.5.
What am I failing to understand? Why would these two bunnies behave so differently?
var s = new PIXI.Sprite(PIXI.Texture.fromImage("bunny.png", false))
The default behavior is to pretend that we want to avoid cross-site scripting abuse, so cookies are suppressed. This is how the PIXI tutorials work, apparently (and who cares about cookies in that case?)
If you want the cookies, you must set the crossdomain parameter to false.
I thought I had tried that already, but evidently I was mistaken! Bunnies everywhere now..
I have a classic ASP web page that used to work... but the network guys have made a lot of changes including moving the app to winodws 2008 server running iis 7.5. We also upgraded to IE 9.
I'm getting a Permission denied error message when I try to click on the following link:
<a href=javascript:window.parent.ElementContent('SearchCriteria','OBJECT=321402.EV806','cmboSearchType','D',false)>
But other links like the following one work just fine:
<a href="javascript:ElementContent('SearchCriteria','OBJECT=321402.EV806', 'cmboSearchType','D',false)">
The difference is that the link that is failing is in an iframe. I noticed on other posts, it makes a difference whether or not the iframe content is coming from another domain.
In my case, it's not. But I am getting data from another server by doing the following...
set objhttp = Server.CreateObject("winhttp.winhttprequest.5.1")
objhttp.open "get", strURL
objhttp.send
and then i change the actual html that i get back ... add some hyperlinks etc. Then i save it to a file on my local server. (saved as *.html files)
Then when my page is loading, i look for the specific html file and load it into the iframe.
I know some group policy options in IE have changed... and i'm looking into those changes. but the fact that one javascript link works makes me wonder whether the problem lies somewhere else...???
any suggestions would be appreciated.
thanks.
You could try with Msxml2.ServerXMLHTTP instead of WinHttp.WinHttpRequest.
See differences between Msxml2.ServerXMLHTTP and WinHttp.WinHttpRequest? for the difference between Msxml2.ServerXMLHTTP.
On this exellent site about ASP you get plenty of codesamples on how to use Msxml2.ServerXMLHTTP which is the most recent of the two:
http://classicasp.aspfaq.com/general/how-do-i-read-the-contents-of-a-remote-web-page.html
About the IE9 issue: connect a pc with an older IE or another browser to test if the browser that is the culprit. Also in IE9 (or better in Firefox/Firebug) use the development tools (F12) and watch the console for errors while the contents of the iFrame load.
Your method to get dynamic pages is not efficient i'm afraid, ASP itself can do that and you could use eg a div instead of an iframe and replace the contents with what you get from the request. I will need to see more code to give better advice.
I have an iframe-based online help system that has worked well for years. With IE8 it chokes on some of the javascripting that calls location.toString(). This same code works fine in IE6.
Specifically, the code is:
var iss = parent.left.location.toString();
var isInd = iss.indexOf("indexframe");
I get a "permission denied" error. I believe the problem is related to cross-domain communications, which I'm not sure I fully understand. The whole package runs locally using local HTML and javascript files. I'm not trying to have a frame in one domain control a frame in another domain. Or maybe I'm way off base in assuming this is the problem.
Could someone help me to understand what I need to do to work around this issue?
If the iFrame and the parent Document are in the same domain then you should not get that error. It suggests to me that the documents are in different domains.
If the Iframe is in www.mydomain.com and the document is in help.mydomain.com YOU WILL GET AN ERROR! The pages must think they are in the exact same domain.
In both documents you could add javascript the set the domain:
document.domain = "mydomain.com";
Javascript will allow you to drop into the host domain on both pages. This allows you to communicate accross the frames. Of course if the pages are in different HOST domains then this won't work and javascript will throw the error.
Typically when accessing the content of another iframe, i use something like this:
var f = document.getElementById('IdOfIFrame'),
d = f.contentDocument||f.contentWindow;
alert(d.location);
If you are indeed accessing 2 domains from your site, and you own both of them, you can create an xml file that specifies which domains should be allowed to share. See the spec document. This opt-in cross-site access is supported by more than just Adobe (MS Silverlight for one). Here is Silverlight's support spec.