I am opening a new window from a button using var myWindow = window.open(...). I then want to move that window to the correct location on the screen. I use myWindow.moveTo(10,10) to do this but I get an Access Denied error.
The window I open contains information from another server to the one I am executing on. When it isn't, the window moves correctly. Is this the limitation and is there a way around it?
I am using IE7. (The work is for an existing Intranet that includes lots of ActiveX so all users use IE7)
You could try to put the information from the other site in an iframe located on the same host that runs the window.open JavaScript. Or maybe even better, get the information server-side and present it directly from your site. Iframes can be trouble.
The window I open contains information from another server to the one I am executing on. When it isn't, the window moves correctly. Is this the limitation and is there a way around it?
Browsers security model have been increasingly restrictive over the last couple of years. What you could do a few years ago, isn't allowed any more. Blame it on advertising companies.
Related
I want to redirect my website from iframe to main url, here is my code:
window.setTimeout(function() {
window.top.location = jQuery("link[rel=canonical]").attr("href") + "#ref=shahrekhabar";
return false;
}, 100);
It works on Firefox but Google Chrome blocked this type of redirecttion.
I try with window.top.location.href and window.top.location.replace and window.top.location.assign but no luck.
The reason:
Some spam sites shows my site in iframe and I want to escape from them and I think redirection is good solution.
Edit to answer the TRUE question:
A common issue with stack overflow is that users will often ask how to do something they think solves the problem they are encountering, rather than just asking us how to solve the problem. We always appreciate hearing how you've gone about trying to solve your problem, but it's always best if we know that and what the root problem is. So in your case, given your comment on my answer, the question should have been:
Currently my website is being shown in iframes on sites that I have no control over? I'd like to prevent them from doing this, how can I do so? I'm currently trying to redirect my website from iframe to main url, but it won't work on Chrome. ... Rest of question ...
Given this question, my original answer is useless as:
You still can't and shouldn't be able to alter the URL of the parent window.
You don't own the sites showing your page in the iframe, which means you can't register a listener to handle the postMessage or CustomEvent.
Funny enough, what you're trying to do is the exact reason why chrome doesn't let you do it hahaha. But don't worry there is still a solution.
Introducing CORS!
CORS or Cross Origin Resource Sharing is the name for when a site on one domain accesses resources that aren't on the same domain. Doesn't matter who owns either site, if the two domains are different it's CORS. Now this is good for you because there are such things as CORS policies where you can prevent anyone from even accessing a resource on your domain if they make a CORS request. Keep in mind this will mean you can't display your site within an iframe on another one of your sites unless they're on the same domain, but it sounds like it may be worth it for you.
In case you're curious, unlike what you're trying to do, using CORS policy is very much standard procedure for developers that don't wish for their sites to appear in iframes and is in fact used by famous sites such as facebook, google, and even good ole stackoverflow (I would know, I tried to make a way to view multiple questions at the same time via iframes a while back). I've included an example below that shows this all to be true, alongside an example of a site that doesn't care (editpad.org). In order to implement this on your site check out this link.
<iframe src="https://www.editpad.org/"> </iframe>
<iframe src="https://www.google.com/"> </iframe>
<iframe src="https://www.facebook.com/"> </iframe>
<iframe src="https://stackoverflow.com/posts/53917955"> </iframe>
The old answer:
So you're trying to change the location of the parent window from an iframe? This sounds extremely dangerous and the fact that Firefox doesn't block it worries me. Good job Chrome!
Why wouldn't you want this?
I can think of a few reasons you wouldn't want this, but the biggest is that it's just poor programming. A page should work completely independent of whether or not it is inside an iframe, and even if the page should only be viewed in an iframe it still shouldn't be interacting with the parent window in such a direct way.
Possible issues that could arise if this were allowed on all platforms:
Include an iframe in your ads and as soon as your ad is displayed, redirect the user to your site or worse, redirect them to a mirror of the current site that you're hosting to collect passwords / personal information.
If you can mess with the windows location (arguably the most important and static thing about a web page being viewed) why can't you mess with anything? Can you go into the parent window and adjust the DOM or do a query selection for inputs of type password in order to copy the values? Or what about attaching event listeners to the parent window silently such that you can log any and all key presses.
How can you work around it?
Don't worry too much about the issues I brought up above, as they can all be avoided by following proper standards. In fact, the JavaScript devs envisioned this exact problem which is why you can post messages across windows. Look into this link and go from there, feel free to comment if you have any questions but it should be as simple as posting a message, detecting it on the parent window, and then changing the location as you wish.
If you need to send data from the iframe to the parent window, or your iframe isn't hosted on the same domain, you can instead use CustomEvents (which I prefer even when my iframe is on the same domain) which allow you to attach a data object.
As for why either of these two solutions is better than directly manipulating the parent window, it's all due to the parent window needing to register a listener for the message / custom event. If your page is not inside an iframe it'll simply post a message to itself which it won't be listening for. If your page is inside an iframe on the page it should be on, your parent page should already have registered the proper listeners. And there is no chance for malicious use of these features because again, I have to register a listener and I choose what is done with the event once it's caught.
I am developing a chat system and got a question that I would like to ask you.
I dont think this is possible but since I see similar behaviour in some websites, I would like to know How to access a variable defined/modified in an other tab? I mean I don't want to send it to a server. How to do something like
var myvalue=getValueInAvailableTab(varName);
If it is not possible, how does facebook know if the chat dialog has been closed in another tab? Do they post this event on their server and then retrieve it?
I am sorry I am not stealing behaviours but this is a best example to explain what I want to do.
In most circumstances, the answer to your question is that you cannot access a Javascript variable in another tab. There are other ways to pass data between tabs, however:
You may create a browser extension that has the functionality that you want. Though different browser frameworks have different limitations upon accessing the code of pages that are open.
If the windows are guaranteed to be opened by the same parent window, you may use window.parent or window.opener
If both tabs are from the same origin site, you may have one tab store the value in the cookie, and have the other tab retrieve that value.
These are all ways in which you may accomplish what you need without server interaction. I'm not sure what method Facebook uses, however.
As long as the browser tabs are from the same domain, you can keep track of them by keeping a reference to the return value of window.open(...):
var wins = {};
wins.someTab = window.open(...);
wins.someOtherTab = window.open(...);
Then to access global variables in that tab:
wins.someTab.someVar
And from inside that sub-tab:
opener.wins.someOtherTab.anotherVar
I'm doing an application where one window needs to talk to another, even though they didn't originally come from a common page. There seems to be a requirement in Chrome that this is so.
The two windows are from the same domain, which I control, but one might be launched from a bookmark and the other from an Excel worksheet.
I've got a demo here:
http://cfpreview12.dmclub.net/Frametest/europe.htm
Go to that URL (with Chrome)
- Launch France
- Launch Germany
- Click on "Go to Paris"
and it works (because France and Germany had a common referrer).
Now copy the URL of the France tab, close the tab, create a new tab
manually and paste back the URL.
When you then flick back to Germany and click on "Go to Paris", a NEW TAB is created, seemingly because Chrome doesn't see the relation between windows that don't have a
shared heritage.
I have full control over both pages (France and Germany) but in the real
use, there is no such thing as Europe.
Any ideas on workarounds?
You won't be able to use target directly; you'll have to do navigations from the JavaScript in each context, sending messages from the scripts in each different window between each other.
OK, so how do we get scripts in different windows (but the same domain) to communication when they don't have a shared reference to a window?
The old-school way, write values to document.cookie and they will be visible to scripts on other windows in the same domain. Requires some annoying protocol overhead in polling for cookie changes, acknowledging receipt/deleting, and encoding long messages (as cookie lengths are limited).
The slightly better version of the same thing using localStorage instead of cookies where available - avoids polluting the cookie header and increases the length of data that can go in a single message.
The modern way - create a SharedWorker and communicate with it from each window. Unfortunately limited availability at present.
You can of course fall back from (3) to (2) to (1) as necessary.
On the website http://imaginaryman-test.blogspot.com/ the typewriter is inside of an IFAME . Everything works correctly on all browsers when you go to the site directly http://castedspell.com/mark/ but when viewing the version embeded in an IFRAME it does not work on IE and throws errors in Chrome.
Unsafe JavaScript attempt to access frame with URL http://imaginaryman-test.blogspot.com/ from frame with URL http://castedspell.com/mark/. Domains, protocols and ports must match.
This is the source code for the embedded IFRAME
https://github.com/totheleftpanda/typeWrite/tree/master/mark
I understand that this is a security problem but I don`t know how to fix it and can not find any material that would help me solve the issue.
The easiest method is to set a PHP (or any server language) proxy that just gets the content of the page from the other domain and outputs it. The only real drawback is that the cookies of the client for the remote domain aren't sent.
Take a look at http://benalman.com/projects/jquery-postmessage-plugin/. This is a jquery plugin that sends message between the two frames. The two frames do not need to be on the same domain. But you do need to access both pages to be able modify them. I also wrote a post here that answers communication between iframes. How to capture clicks from iframe on another domain?
Your only chance is something like easyXDM. (or do it manually using the hash, but would prefer easyXDM)
See the SO answer: Cross-domain hash change communication
eg. if you wanna call a method:
http://easyxdm.net/wp/2010/03/17/remote-procedure-calls-rpc/
EDIT:
If I try your demo in firefox I don't get the "Unsafe JavaScript attempt to access" error at all. But in Chrome it's thrown many times.
You have so much other code in your example that I'm not even sure that your code causes the problem. You should do a very limited/basic test to see if your flash-communication works, without all those other javascripts.
I have had similar issues with this before. Basically if you have an iframe that contains a page from a domain that differs from the main page's domain, javascript will not be able to cross the boundaries between them. Javascript within the iframe will be able to talk within the iframe, javascript in the main page will be able to talk within the main page, but they will not be able to talk to each other.
This is a security issue that aims to stop cross-site scripting attacks. There are a number of hacks that you can put in place to get around this problem but they are all (or at least the ones I know of) rather hairy.
Here are some questions that you should answer before trying to go further:
1) What exactly are you trying to do between the pages using javascript?
2) Do you have access to the source of both pages?
It may be waaay simpler than the above answers. It looks like this function:
function playSound(){
swf.playSound();
}
Is written in the DOM timeline before swf is actually assigned to the swfObject in the function below it.
I would recommend moving that function down further and then retest.
I'm writing an intranet page for my company that requires the use of an embedded dll (COM). The dll is registered on all clients computers so it doesn't need to be downloaded from the page, it just needs to run.
I've tried using the following code to embed the control:
var newObj = new ActiveXObject("servername.classname");
And this works when testing locally, but from the intranet the object fails to instantiate with the js error "automation server can't create object". I suspect this is because IE(7) blocks ActiveX controls by default in the intranet zone. I've also tried using the <object> tag with no luck.
I have a deadline to get this finished and it's unlikely that the IT dept will get around to changing the company security settings before then, so unless its very straightforward for them to do it's not really an option.
So my question is: Is there any possible workaround that will allow me to embed the control so that it will at least prompt the user instead of silently blocking the control, without changing the default security settings in IE?
Almost everyone in the company uses some version of IE (up to 7), so it only needs to work for this.
All help and comments appreciated.
Thanks.
Update:
If this absolutely isn't possible, I'm looking at using the dll from a script on the server in this question. I'd still rather do it client side though because the control has some nice user interfaces available.
if you embed it with an <object> tag it should prompt you regardless; you could then make calls on it through the object tag. another trick which may work is to put: <!-- saved from url=(0013)about:internet --> as the first line of your html file; I don't know if this will work on the intranet zone, but from localhost that will cause the page to be treated as though it were an internet page.
I have used FireBreath plugins (which act as activex controls and can be called in the way you describe) and have never had an issue like this. Good luck!