I have a simple html file. Using javascript I am opening a https link as a child window.
However, if I try to get any data say
var handler = window.open('https://abc.com','newWindow');
var title = handler.window.document.title;
Then it throws an exception saying
Permission denied for http://localhost to get property Window.document from https://abc.com
Can anyone help me out with this.
I don't really know if we are allowed to get data like that or not.
Thanks & Best Regards.
You are not allowed to access data in this way.
If you are a page on hostname A, you can open windows/frames on hostname B, but cannot in any way interact with them - for security reasons. Otherwise, I could open gmail in an iframe and find out your email address from the window title.
This restriction only applies if window A and window B have different hostnames (this includes protocol, host and port). So if you open iframes/windows on your own domain, this is not a problem.
Related
Background
We have two web applications hosted on different sub-domains. Application 1 is an internal admin system. Application 2 is a helpdesk system.
We can modify the source code of Application 1 but we have no access to modify Application 2.
The Goal
To display a link against an order in Application 1 that will open a new window, the URL of which is that of a ticket in Application 2.
The idea being that our staff can see that an order has a helpdesk ticket raised against it and simply needs to click a link on the order to view the ticket and reply to it.
The problem
Regardless of how I open the new window (window.open, target="_blank", etc.) the ticket in the new window is unable to make any ajax requests back to the helpdesk system where it is hosted.
The URL of the new window is part of Application 2.
In Google dev tools it tells me "The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match." even when I open it using _blank.
If I go to the exact same URL manually everything works... but this doesn't help when I need it to work from the link.
Is there any way to achieve the above?
If not, is there any way I can open a new window that is "detached" from the window that opened it so that same origin policy no longer applies?
Edit 2014-03-28 10:23
I have no access to App2's code at all. I cannot make any changes to App2. Any answer must take this into account.
I am trying to open a new window from my application (App1) where the target URL of that window is a page in App2. That page inside App2 then needs to be able to use ajax to communicate with other areas of App2. This is where the problem lies. Because App1 opened the window the same origin policy is preventing that window from making it's ajax requests.
I suspect that JavaScript on the second (helpdesk) app is trying to access the first app via window.opener (which could lead to the cross-origin error you're seeing) and subsequent JavaScript (fetching stuff via AJAX) is then not getting executed. You can probably narrow things down by setting appropriate breakpoints in the second app.
If this is the cause and you can't modify the source for the helpdesk app, how about going to a URL in the internal domain that would then redirect to the help desk? The redirect should cause the window.opener property to become null (same as manually typing in the URL).
Assuming https://admin.mydomain.co.uk and http://helpdesk.mydomain.co.uk, clicking on the "Help Ticket" link would go to a URL in the internal app, e.g. https://admin.mydomain.co.uk/getHelp?ticketId, which would respond with a 301 response and an appropriate Location: http://helpdesk.domain.uk/help/ticketId header taking the user to the actual helpdesk URL.
You could use a proxy server or iframe proxying.
Use the following url //app2.mydomain.co.uk without the http or https.
It's not only a cross domain problem but a protocol issue :
You can't embed https into http page without this warning.
Consider using iframe inside your App1 :
<iframe src="https://app2.mydomain.co.uk" ></iframe>
Or maybe you can use CORS to access data between your two domains ( but i think it's not the point, you want the whole App2 page, isn't it ? )
Edit : By re-reading your question, i'm pretty sure of two thing :
You're not looking at the right direction. You say App2 don't use SSL, and that obviously false when Chrome say "Protocols must match"
It's not a "attach" or "detached" problem. If you put a link (blank or not) in a page, it can be load the new page without any problem, nor link with the referal page.
So my guess is : Your are calling App2 without SSL ( no https), BUT inside the App2, there is some https involved ( certainly some ajax query). So here is the problem : When you open the page without https, it's seem to load, but when the first https Ajax fires, it fail.
Try using https when calling your App2 url, and give us the result
My solution is this: in Application 1 you create a method your method that calling Application 2 on the server side, then you can use AJAX calling your method which will return result of Application 2.
I was trying to get the value from my child.jsp to my parent.jsp using
var myvalue = window.opener.document.getElementById(“parentId1”)
Even though there were no errors found in the console the value is not getting in the parent page.
The child popup window has the url starting like, https://host.example.com:7001/..... and the parent page url is different starts with http://anotherhost:8080/webapp.... is there any issue in communicating with a child window and a parent page which is on another server?
If so how can I solve this issue?
...is there any issue in communicating with a child window and a parent page which is on another server?
Yes, this is prevented by the browser's implementation of the Same Origin Policy.
If you control both servers, look at using Cross Origin Resource Sharing.
Alternately, if you control the JavaScript code on the pages but not the servers (or just if you prefer this mechanism), you can use postMessage to send messages from one window to another. You can't directly access the other window's elements as in your code snippet, but the two pages can cooperate to deliver the relevant value from one page to another, even cross-origin. More on postMessage: MDN | Spec
Unless you can use CORS or postMessage, I don't think you can do it client-side; you'll need a proxy.
I'm working over the same domain giving the ability for a user to navigate within the iframe on the page. I'd like to handle the onload of the iframe in Chrome and to process the actual href the user navigated to. When I'm trying to access
document.getElementById("contentFrame").contentWindow.location.href
it says undefined. Debugger tells that location is an object, but I cannot figure out what property to use.
any guess?
Chrome v15
If you really are on the same domain, use the same protocol and port it should work. Here's an example: http://jsfiddle.net/csVcL/1/
Maybe you're on different subdomains, in which case you need to use document.domain
If you are not in the same domain, you are not allowed to access the href or any other properties on the remote window.
I am trying to get window A (on our domain) open window B (another domain, like YouTube) and I want to show the current document location of window B in window A.
As an example, here is some of the code I am using:
var popup;
var popupRelay;
function findPopupURL(){
var loc=popup.document.location.href
$('#popuploc').html(loc);
}
function clickPopupLink(){
var windowProperties='height:500,width:1000,location:1,toolbars:0';//etc etc
popup=window.open('http://www.youtube.com/','popup',windowProperties);
popupRelay=setInterval(findPopupURL,1000);
}
This code generates this error however:
Error: Permission denied to access property 'document'
Unfortunately the work arounds I keep finding requires me to put code on both domains, which is obviously not possible if Im opening somewhere like YouTube.
What I want to know is, is there a way of getting the document location from another window showing another domain? Can it be done at all? And if so, how?
No, it is not possible to spy on what people do on other domains. That is exactly why the Same Origin Policy exists.
So, the error message is the security restriction to access a parent frame or window from within an (i)frame from a different domain.
(Unsafe javascript attempt to access frame with URL xxx from frame with URL yyy. Domains, protocols, and ports must match).
However, there is no line shown in webkit or chrome from where this error is generated.
So how do I get a list of the lines that infringe upon this? I know I can just search, but does this apply to cookies as well (document.cookie, etc) ? Is there a list of things that are disallowed?
Edit: Also, what do I need to use instead of $(window.top)?
Thanks.
If you own all of the pages (the containing document and the iframe document) just stick some javascript in each of them to allow them to communicate happily:
document.domain = 'myDomain.com';
Any call from inside the frame to window instead of window.frames[my frame] will cause a violation unless you have the document.domain set to match the parent. https://developer.mozilla.org/en/DOM/document.domain