Thomas 'PointedEars' Lahn wrote:
Thomas 'PointedEars' Lahn wrote:
>VK wrote:
>>did you actually try to read frameobj.location,
frameobj['location']?
Yes, I did. It worked fine as it was supposed to.
>>if on any of your configurations it gives you anything other than
security exception or null or undefined as it must:
No, it does not need to. You have yet to show a single case where
reading back this well-defined string value of
window.frames["..."].location
(remember, _not_ window.frames["..."].location.href) would be
impossible
I am afraid I have to show this myself. Curious. MSHTML, Opera
and WebKit do not allow to read back the `location' string value
of an iframe Window object in any case. Gecko (which I have tested
with at first) only allows it when the embedding site is at localhost
(where I have tested which was obviously too superficial a test).
<snip>
Issues in type converting the location object into a string do not
impact on the validity of your assertion that:-
| I have said, ... , that reading window.location (here:
| window.frames["..."].location) directly, in contrast to reading
| window.location.href (here: window.frames["..."].location.href
| or the deprecated window.frames["..."].document.location.href
| property), is not subject to the Same Origin Policy and to the
| restrictions it imposes.
- because type conversion to a string implies an internal call to the
object's - toString - method, and in just the same way as security
restrictions may apply to the - href - property of the location object
without the object itself being subject to the 'Same Origin Policy' the
same can be true of the object's - toString - method. Such that any
attempt to read the - toString - property, or if it can be read then to
execute its value, may be the point at which a security exception is
thrown.
Other forms of direct access to the - location - object certainly can
stand as a demonstration that reading its value is not subject to any
security restrictions. For example, reading the value of non-existent
property, such as:-
frames[" ... "].location.dummy
- results in the undefined value without throwing any exceptions on IE,
Firefox and Opera. Resolving that whole property accessor successfully
necessitates successful reading of the value of - frames[" ...
"].location -, and interacting with the object that is its value
(calling its internal [[Get]] method).
Other test subject for the question of whether it is possible to
directly access the value of a - location - object without security
exceptions being thrown might be a - typeof - test, assigning the value
to a local variable, or comparing the object with another object. If the
location object were itself subject to these restrictions, any of those
should be expected to throw an exception.
A demonstration might be the following minimal HTML page. If reading the
value of the - location - property of an IFRAME that contained a page
from an different domain neither of the two alerts in the following code
would be shown. But in reality both are shown when the browser is IE,
Firefox or Opera (and very probably all others).
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title></title>
<script type="text/javascript">
window.onload = function(){
alert(
'frames["test"].location.dummy = '+
frames["test"].location.dummy
); // Expect "undefined".
alert(
'typeof frames["test"].location = '+
(typeof frames["test"].location)
);// Expect "object" (but possibly "function").
};
</script>
</head>
<body>
<iframe src="http://www.google.com/" id="test" name="test"></iframe>
</body>
</html>
Richard.