468,727 Members | 1,637 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,727 developers. It's quick & easy.

Cross-frame scripting and Localhost

Hello,

Is it possible to run an HTML file from "localhost" and bypass the
various security checks in place for cross-frame scripting? For
example, on a 2-frame page loaded locally:

a) frame 1 includes a form that accepts the name of a web site
(example: www.foo.com), which a script or perhaps a "target" attribute
then loads into frame 2
b) frame 1 waits for frame 2 to load, then reads (for example)
top.frame2.document.images.length and displays the total in frame 1

I realize that "localhost" is not going to match the domain appearing
in frame 2, but as I myself am running the script, logically, where is
the harm?

I haven't done much testing with this yet, but am planning an
application around this concept and am hoping I can make it work. Any
pointers?

Thanks,

Todd

Apr 24 '06 #1
4 2719
ta******@mindspring.com said the following on 4/24/2006 10:55 AM:
Hello,

Is it possible to run an HTML file from "localhost" and bypass the
various security checks in place for cross-frame scripting? For
example, on a 2-frame page loaded locally:

a) frame 1 includes a form that accepts the name of a web site
(example: www.foo.com), which a script or perhaps a "target" attribute
then loads into frame 2
Did you test it?
b) frame 1 waits for frame 2 to load, then reads (for example)
top.frame2.document.images.length and displays the total in frame 1
Did you test it?
I realize that "localhost" is not going to match the domain appearing
in frame 2, but as I myself am running the script, logically, where is
the harm?
Did you test it?
I haven't done much testing with this yet, but am planning an
application around this concept and am hoping I can make it work. Any
pointers?


Test it.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Apr 24 '06 #2
Did you try hta?
http://support.microsoft.com/kb/q241754/

Apr 24 '06 #3
Randy Webb wrote:
ta******@mindspring.com said the following on 4/24/2006 10:55 AM:

Is it possible to run an HTML file from "localhost" and bypass the
various security checks in place for cross-frame scripting? For
example, on a 2-frame page loaded locally:

a) frame 1 includes a form that accepts the name of a web site
(example: www.foo.com), which a script or perhaps a "target" attribute
then loads into frame 2


Did you test it?
b) frame 1 waits for frame 2 to load, then reads (for example)
top.frame2.document.images.length and displays the total in frame 1


Did you test it?
I realize that "localhost" is not going to match the domain appearing
in frame 2, but as I myself am running the script, logically, where is
the harm?


Did you test it?
I haven't done much testing with this yet, but am planning an
application around this concept and am hoping I can make it work. Any
pointers?


Test it.


I think your record is stuck.

I ran some more tests this morning, but nothing worked in Firefox. I
posted because I couldn't be sure it wasn't from something I was doing
wrong, and because I still don't see any security implications. It
seems that not only is the DOM structure unavailable, but the onload
event is never triggered in the first place. If any of this doesn't
sound right, I would appreciate somebody replying without posing more
questions.

It seems like a case of unimaginative programming to me, but at least
falling-back to IE and HTA's will appear to do the job. No, I haven't
tested it yet.

Todd

Apr 24 '06 #4
Ah, HTA's. :-) Until today, I hadn't realized that "localhost" falls
into the category of "any old site", and was still trying to make
something vaguely standards-compliant. But I've fallen-back on HTA's
before and I can do it again. Thanks for the URL!

Todd

Apr 24 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by rollasoc | last post: by
1 post views Thread by Rob Woodworth | last post: by
6 posts views Thread by Bart Van der Donck | last post: by
6 posts views Thread by ampo | last post: by
9 posts views Thread by bryonone | last post: by
xarzu
1 post views Thread by xarzu | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.