Hi,
I'm using an IFRAME which in there I can load any site. But there are
some sites that check if they're in a frame and reload the whole
window. This disrupt my whole page.
Some questions:
1. Isn't this illegal to change the top location of the window? It
seems like a security hole (XSS hack).
2. How do sites do that? (see that even gmail.com does it)
3. How can I force the site to remain in the IFRAME and not allow it to
change the top location?
-thanks, Eli
5  1870 
In article <11**********************@o13g2000cwo.googlegroups .com>, el*****@gmail.com enlightened us with...
I'm using an IFRAME which in there I can load any site. But there are
some sites that check if they're in a frame and reload the whole
window. This disrupt my whole page.
Yeah, that's what we hope for.
I don't want my stuff framed in your site. Breaks my code.
Any site I have that needs to use top.frames has a framebuster script in
there.
Considering how many people like you have posted this sort of question, I'm
considering adding it to the rest of my stuff.
Some questions:
1. Isn't this illegal to change the top location of the window? It
seems like a security hole (XSS hack).
It's illegal to use other people's content without permission on your site,
actually. Copyright and all that jazz.
If someone really felt like it, they could probably report you to your host
and get your account pulled as a TOS violation -- if you don't make it
really, really obvious that you're framing someone else's stuff, not claiming
it as your own.
2. How do sites do that? (see that even gmail.com does it)
They check the value of top.location.href or something similar.
Ever stop to think why we need to do this?
My guess is that Gmail also uses top to reference its own frameset. Putting
it in another breaks it.
3. How can I force the site to remain in the IFRAME and not allow it to
change the top location?
You can't.
If you could, do you really think we'd tell you?
--
--
~kaeli~
Dijon vu - the same mustard as before. http://www.ipwebdesign.net/wildAtHeart http://www.ipwebdesign.net/kaelisSpace
kaeli wrote: 1. Isn't this illegal to change the top location of the window? It
seems like a security hole (XSS hack).
It's illegal to use other people's content without permission on your
site, actually. Copyright and all that jazz.
If someone really felt like it, they could probably report you to
your host and get your account pulled as a TOS violation -- if you don't make
it really, really obvious that you're framing someone else's stuff, not
claiming it as your own.
Of course, I'm not intending to use other sites contents as my content.
And I make it really clear that the content is from another site, by
showing the real URL in the top window and showing a URL input text to
change to another URL. No break of copyrights and all that jazz.
Serious sites that do care of copyrights put a copyright statement on
their pages.
I can also claim that google breaks copyrights becauses it saves
contents of other sites in their cache without permissions.
Besides, you can put any image in your site from any site (with the
<image src="..."> tag). Who really checks where's the origin of the
image? It's not that clear where the image comes from. The same way you
check the origins of an image you can check the origins of an IFRAME. I
know it's not OK to use other's stuff, but if copyrights are saved, I
guess there's nothing wrong.
2. How do sites do that? (see that even gmail.com does it)
They check the value of top.location.href or something similar.
Ever stop to think why we need to do this?
Well, I guess that's not something you can rely on to prevent the
redirect bahavior. So how can you make the check fail, or better
prevent to top redirect.
3. How can I force the site to remain in the IFRAME and not allow
it to change the top location?
You can't.
If you could, do you really think we'd tell you?
Copyrights in my site are saved. The no-frame redirect makes data loss
in the top frame, which could break actions. So preventing this is
critical for me.
How can a site inside an IFRAME can change the location of the top
window? Shouldn't it be dis-allowed by a domain JS security?
I know this redirect can be prevented. I just don't know how...
-thanks, Eli
kaeli wrote: I don't want my stuff framed in your site. Breaks my code.
Why do you always assume this is for some malicious purpose?
My browser's home page is a custom frameset "control panel" that I created
which loads my most-accessed sites in frames for me and updates them every
so often. Surely you shouldn't object to that.
If being framed breaks your code, your coding is bad, IMO.
Blindly referring to 'top' is not recommended, IMO. You should always go
through your parent.
--
Matt Kruse http://www.JavascriptToolbox.com
In article <d6********@news4.newsguy.com>, ne********@mattkruse.com
enlightened us with... kaeli wrote: I don't want my stuff framed in your site. Breaks my code.
Why do you always assume this is for some malicious purpose?
Because I'm a cynical little shit who knows plenty of people who aren't very
nice. And in case you didn't notice, I myself have been known to do some
questionable things with websites just for the hell of it.
I assume it is for a questionable purpose until it is proven otherwise. YMMV
Basically, the same reason I use .htaccess to prevent bandwidth theft.
Because some people are idiots; some don't know better and some know better
but do it anyway.
My browser's home page is a custom frameset "control panel" that I created
which loads my most-accessed sites in frames for me and updates them every
so often. Surely you shouldn't object to that.
No, I don't.
If I did, I'd already have that framebuster code on ALL my stuff.
If being framed breaks your code, your coding is bad, IMO.
The coding is fine. The assumption that my frameset is not enclosed in
someone else's is perfectly reasonable.
And if someone frames my stuff when I didn't want them to, it's their stuff
that looks broken anyway. *eg*
That's like saying that if installing my windows app on your mac breaks it,
the code is bad. Or that using my stuff that I say is for NN6+ only on NN4
breaks it, the code is bad.
Assumptions for code have to be made. The assumption that someone won't frame
my frames is one I make and ensure by using framebuster scripts. Just like I
use object detection in my script so NN4 won't run it and puke.
Blindly referring to 'top' is not recommended, IMO. You should always go
through your parent.
That isn't always possible for global code called from nested framesets.
Plus, it's just easier. Why should I have to NOT use it when I don't want my
frames framed by someone else to begin with? That's just silly.
--
--
~kaeli~
Why do they lock gas station bathrooms? Are they afraid
someone will clean them? http://www.ipwebdesign.net/wildAtHeart http://www.ipwebdesign.net/kaelisSpace
In article <11**********************@o13g2000cwo.googlegroups .com>, el*****@gmail.com enlightened us with... I can also claim that google breaks copyrights becauses it saves
contents of other sites in their cache without permissions.
This is true to a point, but it won't cache pages if you tell it not to. It
obeys the robots.txt file.
Besides, you can put any image in your site from any site (with the
<image src="..."> tag). Who really checks where's the origin of the
image?
That's called bandwidth theft, and many of us use .htaccess files to prevent
it.
Just because you *can* doesn't mean you *should*.
I
know it's not OK to use other's stuff, but if copyrights are saved, I
guess there's nothing wrong.
I'd have to generally agree with that statement.
As long as it's clear, there isn't all that much wrong with it.
Except when people use frames and assume their frames are their own.
They shouldn't have to change their code to accomodate other people's sites.
Well, I guess that's not something you can rely on to prevent the
redirect bahavior. So how can you make the check fail, or better
prevent to top redirect.
You, as the person framing the site, cannot, generally speaking.
And if you manage it (usually by blocking all script, trapping
onbeforeunload, or some such hack), you usually break the framed site and
possibly your own.
How can a site inside an IFRAME can change the location of the top
window? Shouldn't it be dis-allowed by a domain JS security?
Nope. Because while your motives may be fine, others have motives that aren't
so fine. (answering the "should", which is subjective)
If you're totally dying to do this, there is a way to remove all the script
elements of a page before you frame it.
Requires server-side scripting that can use sockets and do http requests and
the permissions to create a temp file on the server.
I won't post the solution here in a public forum. It can be deduced from what
I said already.
--
--
~kaeli~
You feel stuck with your debt if you can't budge it. http://www.ipwebdesign.net/wildAtHeart http://www.ipwebdesign.net/kaelisSpace This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Martin Lucas-Smith |
last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.
Martin Lucas-Smith ...
|
by: Matt |
last post by:
I have an interactive web page that I need to prevent refreshes on.
The problem is that I want to ALLOW resubmissions, but only via the
submit button. My web page has two forms on it, one form for...
|
by: David Hane |
last post by:
Hi all,
I would like give users the ability to experiment with complex queries but
I'm worried about them creating queries that will bog down the server.
Does anyone have any ideas for...
|
by: Elroyskimms |
last post by:
I have a table using an identity column as its Primary Key and two
columns (table reduced for simplicity) EmployeeNumber and ArrivalTime.
CREATE TABLE (
IDENTITY (1, 1) NOT NULL ,
(10)...
|
by: alanstew |
last post by:
With the body tag calling out 'window onload', a function with a
'window.open' fails at the 'window.open' line. If I cut out the body
tag, the function executes as normal.
At first I thought it...
|
by: shortbackandsides.no |
last post by:
I've been having trouble preventing users pressing Enter part way down
a form so the incomplete form gets submitted.
I came up with a possible solution - the code below seems to work in
both...
|
by: www.douglassdavis.com |
last post by:
I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already...
|
by: bregent |
last post by:
I've seen plenty of articles and utilities for preventing form injections for
ASP.NET, but not too much for classic ASP. Are there any good input validation
scripts that you use to avoid form...
|
by: jonefer |
last post by:
What is the best mechanism/ convention for preventing
stacked datagrids from overlapping each other?
I'd like to do something similar to a "can shrink/can grow" in an Access
report
for an aspx...
|
by: Rex |
last post by:
Hi all,
I want to protect the data on my web page ; I want to make it
viewing-only.
I've already disabled right-click, but can I take it one step further,
and disable certain pulldown menus...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
