By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
449,138 Members | 1,249 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 449,138 IT Pros & Developers. It's quick & easy.

IE "Mark of the Web" cross-frame scripting?

P: n/a
A few months ago I posted a question about using a file on my hard
drive to perform cross-frame scripting and pull data from a server on
my company's intranet. I eventually got this working using an HTA file
and Internet Explorer.

Now I'm tackling a similar issue, but really need to keep the IE menus,
navigation buttons, etc. this time around. Assuming a solution exists,
I'm guessing it involves using the IE6 SP2 "Mark of the Web" feature.
Basically, I'm loading a local file that includes several
Javascript-powered buttons at the top, followed by an iframe that
claims the remaining 100% x 95% of the visible window and loads a page
from a web server on our intranet. The local HTML file includes a
"Mark of the Web" that matches this web server, and the server's domain
is stored at a "Trusted Site". So far, so good. The problem is that
when my script tries to access the page in the iframe, it doesn't
work...IE responds with an "Access is denied" error.

I haven't found very good documentation on the logic at work here, and
since I can't decide exactly where IE is getting hung-up, choosing a
next step is tricky. Is there some way around this? These company
PC's are partly locked-down, and as I'd also planned to give this HTML
file to coworkers, can't ask anybody to install new software or perform
major OS tweaks. Additionally, these PC's lack the real Windows XP
Service Pack 2, in favor of a mix of smaller updates and hotfixes, so
some of the new Internet Properties security features are missing
(assuming one might have helped).

I will keep experimenting and may eventually stumble on a solution as I
did previously, but I'd appreciate any suggestions. I think it's very
annoying that a file on my own hard drive can't simply do what it
wants. :-(

Thanks,

Todd

Jul 14 '06 #1
Share this Question
Share on Google+
11 Replies


P: n/a
Have you considered using a different approach such as automating an instance of IE using VB or VBA (eg. from excel?)

That typically does not suffer from the same restrictions as using javascript in another web page.
What type of process are you trying to automate in the "target" page ?

Tim

<ta******@mindspring.comwrote in message news:11*********************@75g2000cwc.googlegrou ps.com...
>A few months ago I posted a question about using a file on my hard
drive to perform cross-frame scripting and pull data from a server on
my company's intranet. I eventually got this working using an HTA file
and Internet Explorer.

Now I'm tackling a similar issue, but really need to keep the IE menus,
navigation buttons, etc. this time around. Assuming a solution exists,
I'm guessing it involves using the IE6 SP2 "Mark of the Web" feature.
Basically, I'm loading a local file that includes several
Javascript-powered buttons at the top, followed by an iframe that
claims the remaining 100% x 95% of the visible window and loads a page
from a web server on our intranet. The local HTML file includes a
"Mark of the Web" that matches this web server, and the server's domain
is stored at a "Trusted Site". So far, so good. The problem is that
when my script tries to access the page in the iframe, it doesn't
work...IE responds with an "Access is denied" error.

I haven't found very good documentation on the logic at work here, and
since I can't decide exactly where IE is getting hung-up, choosing a
next step is tricky. Is there some way around this? These company
PC's are partly locked-down, and as I'd also planned to give this HTML
file to coworkers, can't ask anybody to install new software or perform
major OS tweaks. Additionally, these PC's lack the real Windows XP
Service Pack 2, in favor of a mix of smaller updates and hotfixes, so
some of the new Internet Properties security features are missing
(assuming one might have helped).

I will keep experimenting and may eventually stumble on a solution as I
did previously, but I'd appreciate any suggestions. I think it's very
annoying that a file on my own hard drive can't simply do what it
wants. :-(

Thanks,

Todd

Jul 15 '06 #2

P: n/a
Tim Williams wrote:
Have you considered using a different approach such as automating an instance of IE using VB or VBA (eg. from excel?)

That typically does not suffer from the same restrictions as using javascript in another web page.
What type of process are you trying to automate in the "target" page ?
I'd like to read information from the iframe (which for all intents
*is* the browser window, as it occupies all but the top 5% of available
space), roll it into an email message (Lotus Notes), and send it to a
defined individual. (Think of it like the "Send to a Friend" feature
you find on most news sites.) So "automating an instance of IE" won't
work, as it's got to be the IE window that's currently in use. I'm
open to straight VBA, though, if I can initiate it through a
navigation-style button or a free, user-configurable plugin bar at the
top of IE.

Hmm, is THAT even do-able?

Thanks for the quick reply, Tim!

Todd

Jul 15 '06 #3

P: n/a

ta******@mindspring.com wrote:
A few months ago I posted a question about using a file on my hard
drive to perform cross-frame scripting and pull data from a server on
my company's intranet. I eventually got this working using an HTA file
and Internet Explorer.

Now I'm tackling a similar issue, but really need to keep the IE menus,
navigation buttons, etc. this time around.
How many of the stock menus do you really need? If it's mostly
navigation and say, print, then I'd write an HTA mini-browser wrapper.
Something like the example in Figure 8 at:

http://www.microsoft.com/mind/0799/h...s/htmlapps.asp

Best, Kev

Jul 15 '06 #4

P: n/a
Kevin Darling wrote:
ta******@mindspring.com wrote:
Now I'm tackling a similar issue, but really need to keep the IE menus,
navigation buttons, etc. this time around.

How many of the stock menus do you really need? If it's mostly
navigation and say, print, then I'd write an HTA mini-browser wrapper.
Something like the example in Figure 8 at:

http://www.microsoft.com/mind/0799/h...s/htmlapps.asp
I had considered that, but given how many people still wrinkle their
noses at trying a different browser, I don't think a homemade approach
will go over well. The look/layout has to be highly familiar.

I've never found docs for it, but there is apparently a way for
third-party applications to make custom buttons in IE through the
registry, so short of any better ideas, I will start researching in
that direction. Hopefully it will support starting a VBA script.

Thanks,

Todd

Jul 17 '06 #5

P: n/a
TC

ta******@mindspring.com wrote:
Assuming a solution exists, I'm guessing it involves using
the IE6 SP2 "Mark of the Web" feature.
You guess wrong. MOTW does not, in and of itself, enable cross-site
scripting. It just causes your page to be executed wth the security
settings of the Internet zone, instread of the (higher) settings of the
Local zone. If your Internet zone settings do not allow cross-frame
scripting - and they normally wouldn't & shouldn't - your MOTW page
will not be able to do that either.

There's a "document.domain" thing that might help. I'm not sure,
because I'm no expert on that, and I haven't read your whole post in
detail. Check it out, perhaps it would help.

HTH,
TC (MVP MSAccess)
http://tc2.atspace.com
(Atspace is currently unreliable. Please be patient and/or try again
later.)

Jul 17 '06 #6

P: n/a
The only way that I see to avoid using an HTA is not to use frames. Since
one frame seems to merely consist of controls to control the other frame,
why not dynamically inject that code onto the other page at runtime, thereby
avoiding the frame problem altogether?

<ta******@mindspring.comwrote in message
news:11**********************@p79g2000cwp.googlegr oups.com...
: Kevin Darling wrote:
: ta******@mindspring.com wrote:
:
: Now I'm tackling a similar issue, but really need to keep the IE
menus,
: navigation buttons, etc. this time around.
: >
: How many of the stock menus do you really need? If it's mostly
: navigation and say, print, then I'd write an HTA mini-browser wrapper.
: Something like the example in Figure 8 at:
: >
: http://www.microsoft.com/mind/0799/h...s/htmlapps.asp
:
: I had considered that, but given how many people still wrinkle their
: noses at trying a different browser, I don't think a homemade approach
: will go over well. The look/layout has to be highly familiar.
:
: I've never found docs for it, but there is apparently a way for
: third-party applications to make custom buttons in IE through the
: registry, so short of any better ideas, I will start researching in
: that direction. Hopefully it will support starting a VBA script.
:
: Thanks,
:
: Todd
:
Jul 17 '06 #7

P: n/a

ta******@mindspring.com wrote:
I'd like to read information from the iframe (which for all intents
*is* the browser window, as it occupies all but the top 5% of available
space), roll it into an email message (Lotus Notes), and send it to a
defined individual. (Think of it like the "Send to a Friend" feature
you find on most news sites.) So "automating an instance of IE" won't
work, as it's got to be the IE window that's currently in use. I'm
open to straight VBA, though, if I can initiate it through a
navigation-style button or a free, user-configurable plugin bar at the
top of IE.
Okay, I'm going back to concentrate on your original request.

It sounds like you want this tool to be built-in to everyone's browser.
That means either a Link or a right-click menu (for IE, anyway).
Both are easy to do.

Do you have a tiny example of what you're trying to pick up from a
page, to put in that email? In other words, are you reading just the
text or a selected HTML section or ? If it's not complicated, then
a Link might work. Otherwise you'll need the right-click context
menu.

Kev

Jul 17 '06 #8

P: n/a
"document.domain"

is set by the domain, e.g,
www.adobe.com/crossdomain.xml
xml.amazon.com/crossdomain.xml
www.yahoo.com/crossdomain.xml /stinking
hideout.com.br/crossdomain.xml
http://www.flash-db.com/crossdomain.xml

"TC" <gg*************@spamgourmet.comwrote in message
news:11*********************@b28g2000cwb.googlegro ups.com...
>
ta******@mindspring.com wrote:
Assuming a solution exists, I'm guessing it involves using
the IE6 SP2 "Mark of the Web" feature.

You guess wrong. MOTW does not, in and of itself, enable cross-site
scripting. It just causes your page to be executed wth the security
settings of the Internet zone, instread of the (higher) settings of the
Local zone. If your Internet zone settings do not allow cross-frame
scripting - and they normally wouldn't & shouldn't - your MOTW page
will not be able to do that either.

There's a "document.domain" thing that might help. I'm not sure,
because I'm no expert on that, and I haven't read your whole post in
detail. Check it out, perhaps it would help.

HTH,
TC (MVP MSAccess)
http://tc2.atspace.com
(Atspace is currently unreliable. Please be patient and/or try again
later.)
Jul 19 '06 #9

P: n/a

Some idea of what is right and wrong would help,
in communications, like a protocol, wouldn't it.

http://www.luar.com.hk/flashbook/upload/crossdomain.xml
http://www.flash-db.com/crossdomain.xml
http://xml.amazon.com/crossdomain.xml


"asdf" <as**@asdf.comwrote in message
news:eq**************@TK2MSFTNGP04.phx.gbl...
"document.domain"

is set by the domain, e.g,
www.adobe.com/crossdomain.xml
xml.amazon.com/crossdomain.xml
www.yahoo.com/crossdomain.xml /stinking
hideout.com.br/crossdomain.xml
http://www.flash-db.com/crossdomain.xml

"TC" <gg*************@spamgourmet.comwrote in message
news:11*********************@b28g2000cwb.googlegro ups.com...

ta******@mindspring.com wrote:
Assuming a solution exists, I'm guessing it involves using
the IE6 SP2 "Mark of the Web" feature.
You guess wrong. MOTW does not, in and of itself, enable cross-site
scripting. It just causes your page to be executed wth the security
settings of the Internet zone, instread of the (higher) settings of the
Local zone. If your Internet zone settings do not allow cross-frame
scripting - and they normally wouldn't & shouldn't - your MOTW page
will not be able to do that either.

There's a "document.domain" thing that might help. I'm not sure,
because I'm no expert on that, and I haven't read your whole post in
detail. Check it out, perhaps it would help.

HTH,
TC (MVP MSAccess)
http://tc2.atspace.com
(Atspace is currently unreliable. Please be patient and/or try again
later.)
Jul 19 '06 #10

P: n/a
You need to be cookied or at least jscript enabled, or their
write to customer disk before displaying anything otherwise
takes ground.

"asdf" <as**@asdf.comwrote in message
news:Ok**************@TK2MSFTNGP03.phx.gbl...
>
Some idea of what is right and wrong would help,
in communications, like a protocol, wouldn't it.

http://www.luar.com.hk/flashbook/upload/crossdomain.xml
http://www.flash-db.com/crossdomain.xml
http://xml.amazon.com/crossdomain.xml


"asdf" <as**@asdf.comwrote in message
news:eq**************@TK2MSFTNGP04.phx.gbl...
"document.domain"

is set by the domain, e.g,
www.adobe.com/crossdomain.xml
xml.amazon.com/crossdomain.xml
www.yahoo.com/crossdomain.xml /stinking
hideout.com.br/crossdomain.xml
http://www.flash-db.com/crossdomain.xml

"TC" <gg*************@spamgourmet.comwrote in message
news:11*********************@b28g2000cwb.googlegro ups.com...
>
ta******@mindspring.com wrote:
>
Assuming a solution exists, I'm guessing it involves using
the IE6 SP2 "Mark of the Web" feature.
>
You guess wrong. MOTW does not, in and of itself, enable cross-site
scripting. It just causes your page to be executed wth the security
settings of the Internet zone, instread of the (higher) settings of
the
Local zone. If your Internet zone settings do not allow cross-frame
scripting - and they normally wouldn't & shouldn't - your MOTW page
will not be able to do that either.
>
There's a "document.domain" thing that might help. I'm not sure,
because I'm no expert on that, and I haven't read your whole post in
detail. Check it out, perhaps it would help.
>
HTH,
TC (MVP MSAccess)
http://tc2.atspace.com
(Atspace is currently unreliable. Please be patient and/or try again
later.)
>
Jul 19 '06 #11

P: n/a
Kevin Darling wrote:
It sounds like you want this tool to be built-in to everyone's browser.
That means either a Link or a right-click menu (for IE, anyway).
Both are easy to do.

Do you have a tiny example of what you're trying to pick up from a
page, to put in that email? In other words, are you reading just the
text or a selected HTML section or ? If it's not complicated, then
a Link might work. Otherwise you'll need the right-click context
menu.
Actually, I ran some more usenet searches and found the docs for custom
buttons and explorer bars, and a link to MS's GUIDGen program. A
horizontal explorer bar actually seems like the best solution, as I'm
not stuck making a bunch of .ico files. I want something that stares
the user in the face, else they forget to use it. My only concern now
is that I don't have docs on how to access the DHTML tree of the main
web page, or a reasurrance this is possible. (I assume it is.) I wish
explorer bars were movable so I could put it near the top of the window
instead, but overall that's a small thing. I will be reading roughly 6
text strings from a terse-looking web page, so it may take a little
creativity, but hopefully I'm now over the hump.

Thanks for all the suggestions,

Todd

Jul 20 '06 #12

This discussion thread is closed

Replies have been disabled for this discussion.