Robert wrote:
<snip>
There is code to prevent a page from opening in a frame.
I do not know about _top.
I have seen but not tried:
if (self != top) {top.location.h ref = self.location.h ref}
In cases where there is a desire to break out of a frame it is almost
certain that the frameset originates in a different domain than the
contents of the frame. As a result cross-domain security restrictions
will apply to any code attempting to break out of a frameset, applying
to the tests made and then to the action carried out in response.
Comparing - self - or - window - with top - should be safe, there are no
securi9ty concerns in that action, and they are both properties of the
global object of the executing script. However, there are security
concerns relating to the reading of the URL of a page originating in
another domain. Security restrictions can be expected to apply to
reading any properties of a - top - frame that originates on another
domain, and the - location - object can be expected to be expected to be
subject to those restrictions above other objects. The mere act of
reading top.location could be restricted, particularly as that object
traditionally type-converts to a string that represents the page's URL.
And you cannot assign to - top.location.hr ef - without effectively
reading - top.location - in the process, and so risking a security
exception at that point.
Of course browser security restrictions vary considerably, but I don't
think this formulation can be expected to work successfully in a
reasonable range of browsers. And there is no need to risk the problem
as assigning a URL string directly to - top.location - has the desired
effect without any need to read the value of the object.
Richard.