473,320 Members | 1,950 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

cross site scripting

Hi,

I have a situation where I want a customer to be able to embed my
functionality within their web site, a bit like a counter but more complex
because my functionality consists of several separate frames.

The idea is that the customer will set up several iframes embedded in their
web site, all pointing to the same server on which I'm hosting the service
(slightly different URLS). When the user clicks on one of my iframes, some
javascript happens which changes the view in all of my iframes (i.e.
navigates them to different URLs).

I found that by including a javascript file in the main window, this can be
called from one of the iframes and can manipulate the other iframes.
However, if the iframe the user clicks in is hosted on a different server
from the one owning the javascript, it cannot execute it. This will clearly
be the case in my scenario. Javascript running in one iframe cannot access a
different separate iframe even if it is on the same server.

I guess this is to prevent XSS attacks. In this case, I don't want to update
anything in the customer's window, but I want to be able to "own" several
iframes and have them talk to each other.

If anyone understands what I'm trying to achieve here, any ideas would be
appreviated. Second best would be a definitive statement that it's
impossible.

Andy
Jul 23 '05 #1
3 1672
Ivo
"Andy Fish" wrote
I found that by including a javascript file in the main window, this can be called from one of the iframes and can manipulate the other iframes.
However, if the iframe the user clicks in is hosted on a different server
from the one owning the javascript, it cannot execute it. This will clearly be the case in my scenario. Javascript running in one iframe cannot access a different separate iframe even if it is on the same server.

I guess this is to prevent XSS attacks.
Yes.
In this case, I don't want to update
anything in the customer's window, but I want to be able to "own" several
iframes and have them talk to each other.

If anyone understands what I'm trying to achieve here, any ideas would be
appreviated. Second best would be a definitive statement that it's
impossible.


It 's impossible. Definitely. All participating frames, framesets, top,
parents, children and what-have-you must be from the same domain. That is
the part between the double slash and first next slash must be the same.
This rule is very scrict, I believe that even
http://www.example.com/
and
http://example.com/
are not able to talk to eachother .
Sorry. Look for ways not utilizing a multitude of iframes, but perhaps
update an image if you want to invoke a serverside process, such as
form.asp.png?client=ABC&item=code1&quantity=2. Another solution that comes
to mind is to create a popup window with script in your user's page that
points to a frameset on your own site so all frames at least in that window
are from the same domain.
Ivo
Jul 23 '05 #2
Thanks for the quick reply

I was looking for a way to give the customer more control over how my
functionality was presented on their site.

However, it looks like I will just have to put it all in one box that they
can embed as a single frame or iframe

Andy

"Ivo" <no@thank.you> wrote in message
news:40**********************@news.wanadoo.nl...
"Andy Fish" wrote
I found that by including a javascript file in the main window, this can be
called from one of the iframes and can manipulate the other iframes.
However, if the iframe the user clicks in is hosted on a different server from the one owning the javascript, it cannot execute it. This will

clearly
be the case in my scenario. Javascript running in one iframe cannot access a
different separate iframe even if it is on the same server.

I guess this is to prevent XSS attacks.
Yes.
In this case, I don't want to update
anything in the customer's window, but I want to be able to "own"

several iframes and have them talk to each other.

If anyone understands what I'm trying to achieve here, any ideas would be appreviated. Second best would be a definitive statement that it's
impossible.


It 's impossible. Definitely. All participating frames, framesets, top,
parents, children and what-have-you must be from the same domain. That is
the part between the double slash and first next slash must be the same.
This rule is very scrict, I believe that even
http://www.example.com/
and
http://example.com/
are not able to talk to eachother .
Sorry. Look for ways not utilizing a multitude of iframes, but perhaps
update an image if you want to invoke a serverside process, such as
form.asp.png?client=ABC&item=code1&quantity=2. Another solution that comes
to mind is to create a popup window with script in your user's page that
points to a frameset on your own site so all frames at least in that

window are from the same domain.
Ivo

Jul 23 '05 #3
Ivo wrote:
<snip>
It 's impossible. Definitely.
I agree.
All participating frames, framesets,
top, parents, children and what-have-you must be from the same
domain. That is the part between the double slash and first next
slash must be the same. This rule is very scrict,
I believe that even
http://www.example.com/
and
http://example.com/
are not able to talk to eachother .

<snip>

That is by default, but those two examples could use the -
document.domain - property to allow them to communicate. But between
http://example.com (and sub domains) and http://notExampe.com (and its
sub domains) communication is out of the question (no workaround and no
exceptions except for serious bugs that can be expected to be rapidly
fixed once identified).

The problem is that the IFRAMEs would be leafs in a tree structure in
which everything towards the root is inaccessible for security reasons,
and any javascript communication would have to be via something towards
the root.

The only common point through which the IFRAMEs could communicate would
be the server that they came from. Which would be a nightmare to
implement and orchestrate and probably dependent on some limited (on the
client) technology like ActiveX or Java.

Richard.
Jul 23 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Venkat | last post by:
Hi All, I would like to about Cross Site Scripting. I googled XSS and got the point what it is but didn't get how it is achieved. Can someone describe me with an example how an hacker does it....
7
by: CJD | last post by:
Hello, I want to create a server-side object that tracks the clicks of a user while they do a task in a browser. The tasks would take place on external web sites. Since there does not seem to be...
7
by: Scott M. | last post by:
How can I disable the cross-site scripting check for one particular page of a site?
0
by: Earl Teigrob | last post by:
I want to allow users to input html (via a rich text box) or directly, into a form field, save it in a data store and then output that html to the browser, but not allow cross-site scripting. ...
2
by: ra90812 | last post by:
Can someone tell me how to do cross-site scripting in AJAX. any help would be highly appreciated. Thanks, Rajesh
11
by: taoberly | last post by:
A few months ago I posted a question about using a file on my hard drive to perform cross-frame scripting and pull data from a server on my company's intranet. I eventually got this working using...
4
by: Jacob JKW | last post by:
Having read the CLJ FAQ and having done extensive Googling, I do understand that in in general cross-domain iframe scripting is not permitted. One issue I have not seen directly addressed, however,...
0
by: KZSteele | last post by:
(repost/edit from html forum) hello - i am using VBA within a microsoft access project to automate internet explorer. what i am doing is reading data from various frames of my company's web...
0
by: KZSteele | last post by:
(repost/edit from html forum) hello - i am using VBA within a microsoft access project to automate internet explorer. what i am doing is reading data from various frames of my company's web...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.