Cross Domain JavaScript with DHTML HTC's - javascript

I have a typical setup for cross domain.
site1.company.com
site2.company.com
Main application is running off of site1.company.com. Trying to get communication working between the a parent frame from site1 and child frame from site2
Both site 1 and site 2 are setting document.domain='company.com';
The communication works fine both ways, However the parent frame from site1 was no longer able to communicate with the rest of the site1 application due to the same origin policy. I added the same document.domain property to every web page in site1.
The issue I am now facing is all of our 20 some HTC files are no longer functioning. I attempted to set the document.domain in the script tag on the HTC's but this threw an access denied message.
Trying to use the HTC's without the document.domain results in the same origin policy failing and HTC javascript calls are throwing access denied.
Is there something special I have to do to enable document.domain in an HTC file? Can this even be done?

Take a look at http://easyxdm.net/, it will enable you to embed frames that you can communicate freely and securely with across the domain boundary.
It will probably be easier than mucking about with document.domain (causes all sorts of issues).
This will most likely not work between HTML and HTC's, but it will between pages on the separate domains.

Related

Dynamics, iFrames

Good day everyone.
So I have a website and I am trying to embed in an iframe a dynamics server and it keeps throwing an error something about
'Refused to display https://XXXXXXXXXXXX in a frame because it set 'X-Frame-Options' to 'deny'.
Any ideas how I can get it to work?
This happens when we try to redirect the page to a login page.
Thanks
Check X-Frame-Options hearder:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Based on the above statement, this is something that the 'https://XXXXXXXXXXXX' has added to the page to disallow it from being used as an <iframe>
You can see that this can even be configured globally on a web server level, to secure all the websites.
If the website is in the same domain the workaround is easier using SameOrigin value.
If you want to allow all, then just don't set the response header for the XXXXXXXX site at all (if you have access to it).

Get innerHTML of iframe loaded in chrome background page

I'm loading a webpage inside iframe of a background page in chrome extension. I need to fetch the content (i.e. DOM) of iframe. I'm getting protocol error. how to overcome this situation, any workaround.
"Unsafe JavaScript attempt to access frame with URL https://swym.3ds.com/ from frame with URL chrome-extension://ohhaffjbbhlfbbpcdcajbkeippadmipk/back.html. The frame requesting access has a protocol of 'chrome-extension', the frame being accessed has a protocol of 'https'. Protocols must match."
I'm trying to implement a desktop notification for the above site, hiding the process from user eye.
I tried using XMLHTTPRequest and Jquery GET, unfortunately my site loading is unstandard, it doesn't work as intended.
Any suggestion on this topic will be very helpful.
It seems you're facing Cross-origin resource sharing issues. Do a quick check for resources loaded with protocols, convert http://www.example.com resources to //www.example.com Also refer MDN CORS Article
Javascript cannot access content on another domain as it poses security risks. If you have control over the domains, you may use postMessage to overcome this. Take a look at this link

JavaScript cross domain scripting

I have 2 sub domains
passwordservices.example.com
computers.example.com
All computers are attached to the computers.example.com
A workstation called PC123456 on the domain has a fully qualified name is
PC123456.computers.example.com
The web pages are hosted on passwordservices.
How can I write a javascript that's hosted on PC123456
And access DOM elements on password services.
Basically, JS believes that even a subdomain such as img.yourdomain.com is a different domain from www.yourdomain.com. Because of that, AJAX across pages from those two subdomains will not work. Also if you have an iframe from one to another, you will not be able to refence JS vars or functions back and forth.
A way around this involves setting up an iframe html on one domain and then calling that iframe from the page on the other subdomain. You have to set the document.domain to the same thing on both the parent page and its iframe, in order for them to talk to each other.
document.domain = "yourdomain.com"
Source: tomhoppe.com
You might also want to look into Cross-Origin Resource Sharing
Good Luck!!

Unsafe JavaScript attempt to access frame in Google Chrome

Our web application (based on HTML5, SVG & JS) runs fine in all the browsers except Google Chrome.
In Google Chrome, the normal javascript events run fine, however, all the javascript events attached to the iFrame are not executed. We get the error in the console:
Unsafe JavaScript attempt to access frame
At the moment, the application is locally hosted and this problem cropped up during inhouse testing.
Googling this brings up lots of posts but none suggests any concrete solution. Any suggestions?
As an additional security measure, Chrome treats every "file" path as its own origin rather than treating the entire "file" scheme as a single origin (which is what other browsers do). This behavior applies only to "file" URLs and you can force Chrome to revert to a single local origin (like other browsers) by passing the --allow-file-access-from-files switch at startup.
You can find more information on the risks associated with local origins described here: http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html
Please make sure that both the iframe and main page are using the same protocol (i.e. both https or both http, but not mixed) and are on the same domain (i.e. both www.example.com and not example.com and dev.example.com). Also there's the possibility that something tries to use the file:// protocol, which will also cause this message.

Browser Same Origin Policy

We have application hosted "xyz:8080/rootapp" and cometd services hosted on "xyz:9090/cometed". The JavaScript loaded from cometd server needs to access the DOM/JavaScripts loaded from (xyz:8080), the browser's same origin policy is not allowing it.
To overcome it we set 'document.domain' as "xyz" eliminating port. This solution is working well but this is becoming problem to all the iframes loaded by "xyz:8080" and I need to change each and every iframe to use domain as "xyz".
Can someone provide me hints to solve this problem without changing each and every iframe?
Do we have any http header to set domain?
You can use CORS to specify an exception to same origin, this will work in any relatively modern browser.
This page has a fairly good intro and a list of compatible browsers.
The short version is put an Access-Control-Allow-Origin header into the responses from xyz:8080 that contains either xyz:9090 or * (for unrestricted access).

Categories

Resources