I have an IFrame inside my 1st page that loads another page which I don't want it to be accessed directly. So I thought maybe I can be sure that the 2nd page is loaded inside 1st one if I check the top.location in 2nd page and do as normal if it's equal 1st page URL or remember user as hacker if it's not.
Here is the code:
1st Page:
<html>
<head>
<title>1st Page</title>
</head>
<iframe src="2nd Page" name="frame1" height="80%" width="100%"></iframe>
</html>
2nd Page:
<script type="text/javascript">
if(top.location == "1st Page URL") {
// It's OK, Access is not direct
} else {
// It's not a normal access
}
</script>
It seems that this code will work fine, but I'm not sure if it's foolproof or not. Maybe top.location could be spoofed (like $_SERVER['HTTP_REFERER']) or it's totally unreliable somehow. I need to be sure about that.
Well, you can use JSPs. Have your second page, the one that should never be accessed directy placed in the WEB-INF folder of your project, and then have the main page do a jsp:forward towards that resource. This way the 2nd page can never be accessed directly.
top.location, HTTP referer and everything can be spoofed easily. There is no point of trying to build client-side security checks.
Instead, you should focusing make your code robust using sessions, etc.
Related
I want to redirect to another page from 1 page without showing contents of that page using javascript/jquery.
So for example I would be either typing or coming from a search engine to a page on my website say www.mysite.com/aaa/ and I should get redirected to www.mysite.com/bbb/ without showing the contents of www.mysite.com/aaa/.
The server side is asp.net and I can do this using Response.Redirect but I do not want a code change.
From my limited knowledge, I cannot use document.ready or window.load as both will load the contents of the page in the browser before redirecting.
I am not aware of any other thing which would help me achieve this. Tried hard searching but could not get anything useful.
I got something here. I can have this in the header but right at the top of the header might not be possible. Plus the answer is not looking very convincing. However, can try it out and update this question with the findings.
Please help!
Thanks in advance!
When the the web browser engine reads an HTML document and identifies a script element, it immediately invokes the JavaScript interpretator and executes the code. So, if your document starts with a JavaScript which redirects away from the page, the client shouldn't be shown the remaining document. Something like this could work:
<!DOCTYPE html>
<html>
<head>
<script type='text/javascript'>
//using "replace" removes the current page from browser history
location.replace('page_b.html');
</script>
Also, if there is something on the current page that should not be displayed to the client while the redirect is in process - you can inject some additional CSS, like
<style type='text/css'>
body {display:none}
</style>
This question already has answers here:
Get current URL from IFRAME
(8 answers)
Closed 5 years ago.
I'm using iframe to load faroo.com as default src in frame when i search and move to other webpage using faroo.But still in the iframe src its display faroo.com only i wanted to capture url of page that has loaded in iframe
<!DOCTYPE html>
<html>
<head>
<script src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.11.1.min.js"></script>
<script type="text/javascript">
$(function(){
$('#frameid').load(function(){
var z=$('#frameid').attr('src');
console.log('hi '+z);
});
$('#clicked').on('click', function(){
$('#frameid').attr('src', 'http://www.faroo.com/');
});
});
</script>
</head>
<body>
<iframe width="100%" height="500px" id="frameid" src="" name="iframe_a" ></iframe>
<p><input type="button" value="click me!" id="clicked"></p>
</body>
</html>
The o/p at console.log is always faroo.com not the current website that has loaded
For a matter of security you are allowed to retrieve the URL as long as the contents of the iframe, and the referencing javascript, are hosted in the same domain.
Should it be the case, you can do something like:
document.getElementById("frameid").contentWindow.location.href
If the two domains are different then you'll have all the restrictions that apply to the cross-site reference scripting domain. Example:
document.getElementById("frameid").src = 'http://www.google.com/';
alert(document.getElementById("frameid").documentWindow.location.href);
Error: Permission denied to get property Location.href
For sure (except if you find some huge security flaw in your browser) you simply cannot achieve what you need using javascript in the parent document. Let's see with a simple example why. If the browser allowed what you need, you could easily:
Create a page, with a hidden iframe (e.g. http://malicous.com/dont-trust)
In that iframe, open a child page with the login process of some website (e.g. http://insecure-web-site.com/redirectlogin)
If cookies for child are present and under certain circumstances, the page inside the frame will redirect to the real website, proceeding with user login.
From the parent page now you will be able to read all the sensitive informations gone through the login process contained inside the URL, e.g. access tokens, session IDs, ...
At this point the victim website and its users are in front of a wide new set of possible security threats...
Seem likes there is a hack to make this work and I actually can't believe it's even allowed. This is how it seems to work:
1) Change the domain to match iframe:
document.domain = <iframe_domain>
2) Get the URL like so:
console.log($('iframe')[0].contentWindow.location.href)
In my opinion, this should not have worked, but it does. I tested with the following in Safari, Chrome and Firefox all latest version as of 02/01/2017:
Main: http://subdomain.website.com
iframe: http://www.website.com
What do you think? Is this permanently allowed or is it an oversight that will be patched soon?
Update
I started another thread for discussion here regarding browser security.
Isn't This A Serious Browser Security Issue? RE: Cross-Domain iframe Hack
Update 2
Seems like this will always be supported for specific cases.
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Suppose that I have an ASP.NET page that is intended for other sites to render inside of their <iframe>. Suppose further that my page includes some server-side <asp:LinkButton> controls, which get rendered as <a href="javascript:__doPostBack(...)"> links.
I would be happy if _doPostBack() would execute within the iframe, but it does not--Instead I get "_doPostBack not defined" error in the console. I presume that is because it is trying to execute it on the outside page, because it is an href="javascript:..." link and not an ordinary DOM event.
How can I overcome this without changing away from a LinkButton? Is there a better way to run the server-side code I need for clicking the button?
EDIT: I added an the test
and clicked on it, and I got the title of my outer page, not the title of my page in the iframe.
I might not be getting the question right...but the link button in your iframe should work fine only inside the iframe context. So anything in the code-behind of the iframe .aspx will work as regular.
Now if you want the link_button in iframe to interact with the parent page the nope.
What you are trying to do is a Cross-domain scenario. I doubt there's any way you might be able to accomplish it and that's due to security reasons. I was looking for something like that as asked here.
If you own both the websites then you might want to check if WebService is of any use.
I was pretty curious to try it myself, so I created a test application and I was easily able to get a postback within the IFrame.
Now a little clarification if a postback is happening inside an IFrame, you will even see the effects within the frame bounds (unless programmed other wise using some client script). Now to your issue there is no possibility of you invoking the parent __dopostback event, under normal circumstances (but you may like to see this link for a probable thing that might be happening at your parent page).
At times as a security measures the javascript is disabled on individual IFrames (the feature is readily available with HTML5). There is a good possibility that you may be dealing with a similar situation. In that case you do not have any control over the functioning, unless you fall back to simple HTML forms and post it to a different ASP.net page.
Based on our discussion below I would suggest you to use simple HTML hyper link in your page, unless you can change the code of the parent page. If postback is desirable then you can make use of cross page posting (as I already mentioned) and from that page redirect back to your current child page.
One of these codes should work for you:
Link Text
OR
Link Text
OR
Link Text
OR
Link Text
If none of the above codes works for you then you should consider putting a submit button instead of hyperlink.
Hope this helps.
Also curious, I tried to replicate your issue but the post back worked fine inside an iframe. It may sound silly but can you confirm that the page works outside of an iframe?
Other suggestions:
Try different browsers
Disable browser extensions
Try creating a basic HTML page on your local pc with an iframe to your website and see if it works that way. That could tell you if the parent page is the culprit.
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title></title>
</head>
<body style="background: #ccc">
<h1>My HTML Page</h1>
<iframe src="http://MyWebsiteUrl" width="400" height="400" />
</bod>
</html>
Well I had the same problem. Ended up adding asp:imgButton controls with an OnClick="" aspx.cs code behind handler.
The handler their click event called was the one I wanted my linkbutton to call but wouldn't in Safari 7.0.1 on Mac. I put an OnClientClick="return mylinkbuttonHandler()" client side handler in javascript that just invoked my hidden (because they have no image assigned) imgButton's click event; the javascript itself looked like the below:
<script language="javascript" type="text/javascript">
// Fake out Safari by creating imgButtons that fire the linkbutton code behind events
function saveButtonLogic() {
var buttonId = document.getElementById("hiddenSaveButton");
buttonId.click();
return false;
}
function submitButtonLogic() {
var buttonId = document.getElementById("hiddenSubmitButton");
buttonId.click();
return false;
}
function clearButtonLogic() {
var buttonId = document.getElementById("hiddenClearButton");
buttonId.click();
return false;
}
</script>
Hey, it's ugly but it worked great.
I have a webpage (localhost). When I type its URL in the browser I am making it redirect to another webpage using Javascript.
<head>
<script type="text/javascript">
function wa() {
window.location = "http://www.anyWebsite.com";
}
</script>
</head>
<body onload="wa()">
As a result the URL in the web browser also changes. The only thing I need here is that the URL should not change.
You can load the other page into an <iframe> or <frameset> that covers your entire page.
Note that you will not be able to display the other page's title.
Also note that many websites (such as StackOverflow) will prevent this for security reasons.
Simple answer!! Not possible
Page will refresh every time when you will change window.location
Not possible for security reasons, users should see what URL they are at.
There are workarounds though - make an IFrame for the whole page and set the location there or dynamically load the page and update from different location.
I cannot believe I'm about to suggest using iframes, but you're easiest solution is indeed iframes.
Create an iframe that's 100%x100%, and when the window loads set the location of the iframe to your new url. The location bar will (should?) stay the same while the page appears to have moved onto a different location.
iframes: http://www.w3schools.com/tags/tag_iframe.asp
I want to track what happens inside an iframe when a user clicks on links in the IFrame. The page that contains the iframe (the parent) is to track the user´s navigation through the page in the iframe. Both pages will be hosted on the same toplevel domain, although the subdomains will differ.
I need the parent page to be notified of every click, but I do not have direct control over the pages I load into the iframe.
Is adding an onclick to all the links whenever the page in the iframe is loaded possible? How would I go about doing this?
This would be the "template" on which to build:
<html>
<script language="javascript">
var currentURL;
</script>
<body>
<iframe id="container" width="500" height="500" src="http://subdomain.parentdomain.com"/>
</body>
Iframe CrossDomain access needs to be the same domain, subdomain, and port.
If you had them on the same domain, you could bind click event handlers on all the links, then when they are clicked log a click to something like google analytics, your database, etc.
I do not have direct control over the pages I load into the iframe
That's your blocker. If you can augment the code within the remote pages, you can use postMessage and the iframe fragment identifier hack to get browser coverage.
Fortunately, someone already did the dirty work for you:
http://easyxdm.net/
http://consumer.easyxdm.net/c/
http://www.codeproject.com/KB/scripting/easyXDM.aspx?msg=3153511
I am going to use an AJAX-Proxy to have the content (as far as the browser is concerned) come from my domain. This will solve all the cross domain scripting issues that CodeJoust mentioned. Speed of delivery might be a problem due to the overhead I will be generating, but that will have to be seen.
I will probably move along the lines of this Stackoverflow Question:
"Apply “onclick” to all elements in an iFrame"
Regarding legal issues pertaining to proxying and changing the content of pages dynamically, it will have to be checked. I believe that tracking users that give their express consent is, from an ethical standpoint, unproblematic.
With jQuery it would be easy.
$(document).ready(function(){
var iframeWindow = $('#container')[0].contentWindow;
$(iframeWindow).load(function(){
$(this).find('a').click(top.myClickHandler);
});
}
function myClickHandler(){
/* Do something */
}