In our silverlight application we set the location hash property of the browser window to bookmark the current control and query parameters being requested. This is done through javascript via Silverlight like so:
var hashCode = "Example.ControlNamespace.ClassName?clientID=62189";
HtmlPage.Window.Eval(string.Format("window.location.hash='{0}'", hashCode));
This works well enough, but we get intermittent errors from production where this is failing with a stack track that ends at that line..
System.InvalidOperationException: Eval failed.
at System.Windows.Browser.HtmlWindow.Eval(String code)
This only happens occasionally, but I would like to know what is causing it. I've been able to replicate it once myself using IE8, so I don't think there are any obscure browsers causing this. It seems that it is sometimes invalid to set the hash, but I don't know why. Also if it matters its hosted on a secure connection, https.
Thanks in advance.
Edit: I was able to replicate it again. When debugging the javascript the error was 'permission denied'. This seems to only happen on the first load of the page, so maybe the page isn't finished loading and the url hash is not allowed to be changed until it is complete?
This may be associated with this particular issue here:
Suppress navigation when setting HtmlPage.Window.CurrentBookmark property in Silverlight.
The behavior I've seen is that when you set the hash in IE after a redirect, the page refreshes (rather than giving you an "permission denied"), but perhaps there are other scenarios when you're not allowed to do so, e.g., if you're running under HTTPS.
If it does turn out that this is the problem, the only real workaround I've seen is to detect if you're in that scenario (i.e., you've reached this page after a redirect, and you're running in IE), and refresh the page (using JavaScript) before you load your Silverlight application.
Related
In our web app/site, I need to use an iframe or a popup window to validate if the current token is valid and refresh it if no.
So, I create an iframe, and set the property 'src' to the validation link such as "https://<domain_name>/auth?client_id=xxx" which is different to our app domain https://<app_domain>. and the return value will like "https://<domain_name>/code=yyyy"
document.createElement('iframe');
and I added the message handle for the web app/site, like
window.addEventListener("message", this.messageHandler);
in the messageHandler, I will check if the message is from a specified website, and then validate the "code" value, blabla, etc.
But when running in Chrome, I always got the error
"Blocked autofocusing on a element in a cross-origin subframe."
what confused me is:
it always failed when running in the Chrome browser, but it can work fine in Firefox and Edge chromium.
I tried to set iframe.sandbox = "allow-forms allow-scripts allow-same-origin", the problem still existed.
If the validating token failed in iframe or timeout, I will create a popup window to continue validating and refresh the token. But every time, using popup window can always succeed. If it is really a cross-origin issue, why using iframe failed but using popup window succeeded.
I didn't use window.postmessage. because I don't know how to pass the return value of iframe/popup-window to the main page.
I used CORS extension of Chrome or using parameter --disable-web-security when launching Chrome. the problem still existed.
when I created the iframe or popup window. it is very simple, I just set the iframe.src property, there is no element being created.
any help will be much appreciated.
p.s.
I refer to the following doc:
Blocked autofocusing on a form control in a cross-origin subframe
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Support for iframes in web development will only get worse over time as they are a security black hole, browsers are gradually over time locking out features and use of them.
I am assuming you are doing this because you are validating a user on a third party service, validating by watching the response of a third party service website?
Without knowing the service you are using I cannot comment specifically but for anyone looking to do something similar I would highly suggest not doing this:
As mentioned, iframes are constantly having features locked down due to security concerns
An attacker could change the source of the iframe and submit their own iframe to look like it has been correctly validated
It's unlikely that the page you are using as your iframe src is intended for this use, which will come back and bite you when the 3rd party developer changes how their page behaves, which they likely will do without knowing it's going to break your application
I recommend:
Finding a stable API the 3rd party service offers and using that
Finding another service if none exist
Apologies to rain on your parade!
I disagree that iframes are a security risk, rather they can be if not implemented properly.
How to implement them properly should be asked in another question and probably starting with a carefully implemented Content Security Policy as a priority.
I also use iframes within a Chrome extension that has to pass rigorous Google security.
As for the question, I've noticed that error too and I am focusing on an input box when the iframe is loaded and the focus works! I put it down to being a Chrome bug as the warning suggests it has stopped auto focusing when it hasn't.
As for the un-related point about passing the value back to the parent holding the iframe, I can help you with that, but you should ask it in a new question.
Disable some feature of browser setting
Browser Changes
chrome://flags/#cookies-without-same-site-must-be-secure
chrome://flags/#same-site-by-default-cookies
chrome://flags/#enable-removing-all-third-party-cookies
Above URL just paste it and disabled it. Then ok and relaunch the browser.
Then done it.
I noticed something odd in the way Firefox and Chrome handle reloads, and I was wondering if anybody else has encountered this and perhaps knows why.
I have a window.onunload event where I set a cookie (in this case using YUI, but native JS or jQuery would work the same). This cookie normally gets sent in the HTTP request to the server, where the server-side code looks for it. If the cookie exists, it can take a special action.
window.onunload = function() {
Y.Cookie.set('reset_function', 'true', { path: '/'});
}
This works fine when the user is going from one page to another page via a link on the page. However, when the user reloads the page, the cookie is being set in Firefox and Chrome (i.e. I verified the code is being executed via Firebug/Chrome DevTools), but the cookie is NOT sent to the server, so the server can't take the special action.
Has anybody encountered this and know why? Is this behavior baked into these two browsers?
EDIT: When I debugged this further, on reload, Chrome and Firefox go to the server first and then go through the onunload event handler. I'm still unsure why the browser behaves like this.
I could be wrong, but my guess would be that it's just a performance optimization.
First, you should be aware that the onunload method is (last I checked) not allowed to prevent the user from navigating off the page. If it were, I think there'd be a lot more malicious inescapable websites!
What it can do (on some browsers, anyway) is prompt the user with a message, and give the user the opportunity to cancel navigation.
Since this prompt takes some non-zero amount of time, the browser developers (for Chrome and Firefox) may have decided to go ahead and make the request first, so that if the user pauses for a moment and then confirms, the subsequent page will load as fast as possible.
I don't really know if this is accurate or not, but it's one possible explanation. Note that the onunload method is not part of any standard, which means its behavior isn't exactly clearly defined anyway, which means the browser makers are free to put the request before or after the event handler, as far as I can tell.
while developing a website today I noticed something odd on the console. This is the second time I see this error message. I googled the website sasads.com and came up without any info. Website apparently is xml in nature and seems to be very suspicious.
The console error code is Blocked a frame with origin "http://video.sasads.com" from accessing a frame with origin "http://". Protocols, domains, and ports must match.
The website is php/jquery and utilizes the latest jquery distribution. I searched for sasads.com in the js folders but could not locate such string. the jquery that was blocked stated it was running in 1.7 so it must be loading it offsite somewhere.
browser used is chrome, server running latest php and mysql environment. I wasnt able to recreate the error, guess there is some kind of trigger or timer that is hidden.
Question, should I be worried that one of the potential script has some sort of trojan or malware attached to it?
Based on my experimenting, I believe this is caused by the "Edit This Cookie" extension.
Also: The reviews for the extension have similar complaints about ads.
I just very unexpectedly had my Chrome browser switch from my ebay window to a new full-page advertisement; in researching more about what happened, I found this stack overflow question through my google search regarding the website that it jumped to. I'm leaving the following information for others who may be searching for issues with "sasads.com", "adverstitial.com", "openadserve", or "adlegend.com" -- they all seem to be culprits in the hijacking of my web browser (and should be banned, blocked, blacklisted, and otherwise removed from the 'Interwebs').
In response to the Original Poster's error, I believe that the browser you were using tried to do the same exact jump to an "adverstitial.com" page. This page then has a script that loads content from "sasads.com", and you were seeing an error in how it loads.
I was able to capture the javascript from the site, and yes - it has a timer on it after which it tries to go back to the site you were originally on. Thus, you wouldn't have been able to see it. I have much more information about this and captured the javascript that was run. I haven't figured out where it was triggered yet. I only have one Chrome extension (Session Manager). I hope this helps someone.
I had this exact same error in Chrome. In my case, it started after installing the PageRank Status extension.
On the website http://imaginaryman-test.blogspot.com/ the typewriter is inside of an IFAME . Everything works correctly on all browsers when you go to the site directly http://castedspell.com/mark/ but when viewing the version embeded in an IFRAME it does not work on IE and throws errors in Chrome.
Unsafe JavaScript attempt to access frame with URL http://imaginaryman-test.blogspot.com/ from frame with URL http://castedspell.com/mark/. Domains, protocols and ports must match.
This is the source code for the embedded IFRAME
https://github.com/totheleftpanda/typeWrite/tree/master/mark
I understand that this is a security problem but I don`t know how to fix it and can not find any material that would help me solve the issue.
The easiest method is to set a PHP (or any server language) proxy that just gets the content of the page from the other domain and outputs it. The only real drawback is that the cookies of the client for the remote domain aren't sent.
Take a look at http://benalman.com/projects/jquery-postmessage-plugin/. This is a jquery plugin that sends message between the two frames. The two frames do not need to be on the same domain. But you do need to access both pages to be able modify them. I also wrote a post here that answers communication between iframes. How to capture clicks from iframe on another domain?
Your only chance is something like easyXDM. (or do it manually using the hash, but would prefer easyXDM)
See the SO answer: Cross-domain hash change communication
eg. if you wanna call a method:
http://easyxdm.net/wp/2010/03/17/remote-procedure-calls-rpc/
EDIT:
If I try your demo in firefox I don't get the "Unsafe JavaScript attempt to access" error at all. But in Chrome it's thrown many times.
You have so much other code in your example that I'm not even sure that your code causes the problem. You should do a very limited/basic test to see if your flash-communication works, without all those other javascripts.
I have had similar issues with this before. Basically if you have an iframe that contains a page from a domain that differs from the main page's domain, javascript will not be able to cross the boundaries between them. Javascript within the iframe will be able to talk within the iframe, javascript in the main page will be able to talk within the main page, but they will not be able to talk to each other.
This is a security issue that aims to stop cross-site scripting attacks. There are a number of hacks that you can put in place to get around this problem but they are all (or at least the ones I know of) rather hairy.
Here are some questions that you should answer before trying to go further:
1) What exactly are you trying to do between the pages using javascript?
2) Do you have access to the source of both pages?
It may be waaay simpler than the above answers. It looks like this function:
function playSound(){
swf.playSound();
}
Is written in the DOM timeline before swf is actually assigned to the swfObject in the function below it.
I would recommend moving that function down further and then retest.
I am using Simple Facebook Connect for Worpress.
However I am getting some javascript errors.
View Image Full Size
www.connect.facebook.com/widgets/fan.php?api_key=xxxx&channel_url=http%3A%2F%2Fjquery.webspirited.com%2F%3Fxd_receiver%3D1&id=189373481094312&name=&width=285&connections=10&stream=0&logobar=1&css=
GET (same url as above) undefined (undefined) Unsafe
JavaScript attempt to access frame with URL http://jquery.webspirited.com/ from frame with URL
http://www.facebook.com/extern/login_status.php?api_key=xxxx&extern=2&channel=http%3A%2F%2Fjquery.webspirited.com%2F%3Fxd_receiver%3D1&locale=en_US.
Domains, protocols and ports must
match.
How can I fix these errors?
Short answer: You can't. This error happens in Safari and sometimes Chrome. The webkit based browsers have a somewhat tighter security model for cross domain same-origin policies. The way Facebook Connect works is that it tries one method to make things work, then if that fails, it falls back to another approach.
The fall back means that the code still works, but the error comes up because they try that method first.
This is how Facebook's code works. You can't fix it. You can't work around it. If you're going to use Facebook's code, then you learn to live with it.
last time, when i got an error like this, i forgot to set up the url in my facebook-application.
http://www.facebook.com/developers/ > Application settings > Web Site > Site URL, Site Domain
The api-key is alway linked with your url. The url of the website, where u implement the iframe must have the same URL like this.
You might like my Simple Facebook Comments For Wordpress wordpress plugin I recently released. It makes the whole process of adding facebook connect comments to your wordpress site super easy and fast.
http://www.davidswordpressplugins.com/simple-facebook-comments-for-wordpress/