Setting iframe src via JS isnt working specifically for sharepoint - javascript

Setting src directly in iframe is working as expected
I'm trying to embed a Sharepoint document here.
For eg
<iframe src="https://rocketlane123-my.sharepoint.com/personal/lokeshkannan_rocketlane123_onmicrosoft_com/_layouts/15/Doc.aspx?sourcedoc={8822527b-0c56-44f9-8263-40c737db903c}&action=embedview"
width="476px"
height="288px" />
Whereas when I set the src in the script it's failing
<iframe id="x" width="476px" height="288px"></iframe>
<script>
document.getElementById('x').src = "https://rocketlane123-my.sharepoint.com/personal/lokeshkannan_rocketlane123_onmicrosoft_com/_layouts/15/Doc.aspx?sourcedoc={8822527b-0c56-44f9-8263-40c737db903c}&action=embedview";
</script>
This happens explicitly with SharePoint. So I would like to understand a couple of things here.
1. Am I doing something wrong?
2. Is there any CSP headers which block the parent from adding via JS?
3. Is there any official way from SharePoint to allow this?
3. Is there any way to hack this?
Thanks in advance.
Since this happens across chrome, safari and firefox I think it's not a bug in a specific browser.

Trying this in Firefox yields this error message:
To protect your security, login.microsoftonline.com will not allow
Firefox to display the page if another site has embedded it. To see
this page, you need to open it in a new window.
Opening the console gives this message:
The loading of [url] in a frame is denied by “X-Frame-Options“
directive set to “DENY“.
This is a header that's set by login.microsoft.com to disable embedding the link as an iframe.
This link details this design choice: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/sites/cannot-display-sharepoint-pages-in-iframe
The link mentions you can override the behavior by setting 'AllowFraming', though it doesn't recommend it, as there may be site-breaking changes by embedding it.
A guide to use this feature can be found at this link

The problem is in, javascript amp; should not represent as &.
Change your link to
<body>
<iframe id="x" width="476px" height="288px"></iframe>
<script>
document.getElementById('x').src = "https://rocketlane123.sharepoint.com/sites/MyDocsforSP/_layouts/15/Doc.aspx?sourcedoc={6d327004-5d52-4e42-9707-c964631f8e65}&action=embedview";
</script>
</body>

Related

jquery automatic button click issue

I have an iframe on my webpage that contains a linked qwebirc webchat that automatically logs visitors into irc with a temporary nick so all page visitors can instantly chat with each other.
I need to switch from qwebirc to kiwi irc, but it doesn't support autoconnecting.
** It will be connecting to our own irc server and I understand the risk of automatically joining visitors.
Since we cannot install a custom kiwi irc installation to our web server and customize it to autojoin, I know that I'll need to use a jquery function to automatically click the start button on the linked widget in the iframe.
Here is an example of what I'm working with:
<html>
<head>
<title></title>
</head>
<body bgcolor="#000000" link="#FFFFFF" vlink="#FF0000" alink="#FFA500">
<center>
<font face="tahoma" color="#FFFFFF">The "Start..." button below needs to be automatically clicked on page visit.</font>
<br><br>
<iframe src="https://kiwiirc.com/client/irc.MYCHATSERVER.net:6660/?nick=TESTNAME-?&theme=mini#TESTCHANNEL" height="400" width="400"></iframe>
</center>
</body>
</html>
(our server and channel have been renamed for this post, so it shouldn't actually connect)
I know that the function we need to use is:
$(document).ready(function(){
$('#some-id').trigger('click');
});
but I can't seem to find the id of the button.. the only thing I can find is the following line:
<button type="submit">Start...</button>
..that I found here: http://i.imgur.com/05IFHSZ.jpg
I'm not very good with javascript, but am a very willing learner and have a bit of a problem to solve. Any advice on how to incorporate the jquery code is greatly appreciated.
Thanks!!!
You will not be able to interact with elements inside the iframe using scripts from the parent document, or vice versa. This is a security measure and not something you can circumvent.
The same-origin policy restricts how a document or script loaded from
one origin can interact with a resource from another origin.
See Same-origin policy
I took a look at the IRC page and noticed that the button that needs to be clicked—<button type="submit">Start...</button>—is always the first button on the page. Therefore, you can use the following code to click it:
$("button").first().click()
note:
Concerning what pwdst said, you cannot script cross-domain (by default). However, this jQuery library may very well be worth looking into.

override alert() function for a webpage

I am basically trying to prevent any custom dialog boxes to be shown in my webpage.
Basically third party ad-networks, which at times may use some malicious code to show alert() to the end user.
I've come across a simple way, to override the alert on the main page:
Window.prototype.alert = function() {console.log("alert prevented!")}
So for a basic html page like this, it works just fine:
<html>
<body>
<script>
Window.prototype.alert = function() {console.log("an alert was averted");}
</script>
<div>
<a onclick="alert(1)"> This is an alert inside the body</a>
</div>
</body>
</html>
But introduce an iframe in the picture, and the alert within the iframe would pop-up.
What I still want to achieve is, if there is an <iframe> or anything similar HTML component, which basically would create a separate window, should also not be allowed to display any alert().
I'm not quite sure if this is possible, but still any suggestions?
It is probably not possible for old browsers, but newer browsers honor the sandbox attribute in iframe. “Newer” means IE 10 or newer or any reasonable new version of Chrome or Firefox. See support details.
For example, if you wish to disallow popups only, use this:
<iframe src=foo.html sandbox=
"allow-forms allow-pointer-lock allow-same-origin
allow-scripts allow-top-navigation."></iframe>
Here I have listed all the possible values that this attribute value may contain except allow-popups, so that’s the only feature that will be disabled by the attribute.

Javascript/Html: Load Html into FrameSet with onunload event

Explanation of problem in full below, you could probably just skip to the code at the bottom if you want.
What happened is a impatient client wanted his swf banners converted to html5 without having to actually code them from scratch. So i utilized Google's new tool, Swiffy. I then tried to place this new generated html5 page in the header of the clients wordpress site. I have gotten it to load as an iframe but the problem that I am encountering is when you click on a link on the loaded html5 page, it just loads the linked page in the iframe, not the parent page/window (which is to be expected). I tried a bunch of other methods, and tried changing the AS2 links in the .fla as well but no luck. I am guessing Swiffy can not read every AS2 code, and so it has been ignoring my "_blank", "_parent" when I use getURL. Anyway, I have been trying to get it so when the iframe unloads to go to the linked page, it uses Java to just open the link on the parent page. But iframes cant use the onunload event, but I am pretty sure framesets can. So this is the code I was trying and it doesnt work.
<frameset rows="100%" onunload="window.open('http://www.goaefis.com/about-aefis/what-is-aefis/','_parent');">
<frame src="www.goaefis.com/banner_Test.html" frameborder="0" scrolling="no" />
</frameset>
Any help will be super appreciated.
try to use the "target" on your frames.
Here's a example:
http://www.w3.org/TR/html4/present/frames.html

manipulating location.href of frame with PDF plugin in IE9

I'm experiencing rather strange behaviour in IE9 when loading a PDF in a frame with Javascript. The document will load once, but any subsequent invocation will result in SCRIPT65535: Invalid calling object.
I'm constructing my URL from Javascript and loading through top.framename.location.href='file1.pdf'. If you start with a PDF in the frame, it will fire the error upon the first invocation of the script.
So, it appears you are no longer allowed to modify the location.href property of a frame in which the Adobe Reader plugin (version 10) is loaded. The same code with HTML documents works fine.
Does anybody know why this behaviour was changed, and if there is a workaround other than using IE8 emulation with <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8">?
I'm also not looking for workarounds that completely avoid the Javascript. There are numerous options, like constructing the link elsewhere and loading it with a target attribute, but I'd really like to do this with Javascript.
If you want to test/reproduce, you can use:
<frameset cols="150,*">
<frame src="toc.html"/>
<frame src="about:blank" name="otherframe"/>
</frameset>
and in toc.html:
<a onclick="javascript:top.otherframe.location.href='1.pdf'">pdf1</a><br/>
<a onclick="javascript:top.otherframe.location.href='2.pdf'">pdf2</a>
Take a look here:
http://forum.jquery.com/topic/internet-explorer-9-jquery-and-divx
When I go to IE9 developer tools (F12) and under Script tab, click on
Start debugging button, I get details about the error: SCRIPT65535:
Invalid calling object script block (2), line 72 character 4
When you look at the script line 72, this line is highlighted:
appendChildOriginal(element);
Then I go to IE9, Manage add-ons, under Toolbars and Extensions, look
for Divx, LLC and disable Divx Plus Web Player HTML5 and DivX HiQ and
restart IE9 Browser.
The error is gone and my web application work perfectly.
Had the same problem.
In IE9, the frame object is replaced by some PDF object that doesn't contain the location property. So the second time you cannot update the frame url with location.
You can solve this by using window.open()
window.open('1.pdf', 'otherframe');

iframe without an src attribute

I would like to create an <iframe> on the page, but then add the src later. If I make an iframe without an src attribute, then it loads the current page in some browsers. What is the correct value to set for the src so that it just loads a blank iframe?
The answers I've seen are:
about:blank
javascript:false
javascript:void(0)
javascript:"";
url to a blank page
Is there a clear winner? If not, what are the tradeoffs?
I'd like to not have mixed content warnings for HTTPS urls, nor any back-button, history, or reload weirdness in all browsers from IE6 onward.
Not sure if all browsers support "about:blank", so I'd just go with your own blank page then.
Another idea: Why not add the whole iframe using javascript instead of just the src?
Standard approach when creating an "empty" iframe (as an iframe shim, for example), is to set the src as javascript:false;. This is the method used by most of the JavaScript libraries that create iframe shims for you (e.g. YUI's Overlay).
What about
about:blank
Re your comment clarifying that you're planning to use the iframe as the target for a form submission:
I would use an empty document on the server that sends back a 204 no content.
It avoids
"mixed content" warnings in IE and HTTPS mode
Unnecessary errors because a client doesn't understand the javascript: protocol
and other exotic shenanigans.
It's also valid HTML.
So what if it generates an extra request? Set the caching headers right, and there will be only one request for each client.
javascript:false:
IE10 and FF (checked in v23 in Linux) will show 'false' as content.
javascript:void(0) && javascript:;:
IE will show 'cannot display the webpage' error in the iframe. Also, when setting the src from a valid url to javascript:void(0), the page will not get blank.
about:blank:
Works in all browsers but IE 9 sends an request to the server with path "null". Still the best bet IMO
Checkout http://jsfiddle.net/eybDj/1
Checkout http://jsfiddle.net/sv_in/gRU3V/ to see how iframe src changes on dynamic updation with JS
javascript:false works in modern browsers.
What I've seen is that this only "fails" when dumb spiders try to load javascript:false as a page.
Solution: Block the dumb spiders.
As I posted in this question: Is an empty iframe src valid?, it looks acceptable to just leave out the src= attribute completely.
IMO: if you don't put the src, your page won't validate. But's about it.
If you put a src="", your server will log many 404 errors.
Nothing is really wrong as in "damaging". But then, is it actually not wrong to use an iframe in itself?
°-
Yes, I know I'm reviving an old thread. Sue me. I'm interested in the answer.
I don't understand why having the trigger being a form submit precludes dynamically creating the IFrame. Does this not do exactly what you want?
<html>
<head>
<script type="text/javascript">
function setIFrame(elemName, target, width, height) {
document.getElementById(elemName).innerHTML="<iframe width="+width+" height="+height+" src='"+target+"'></iframe>";
}
</script>
</head>
<body>
<div id="iframe" style="width:400px; height:200px"></div>
<form onSubmit="setIFrame('iframe', 'http://www.google.com', 400, 200); return false;">
<input type="submit" value="Set IFrame"/>
</form>
</body>
</html>
I run into this line of code:
iframe.setAttribute("src", "javascript:false");
as well. I wanted to remove javascript:URL.
Found this note from the Web Hypertext Application Technology Working Group [Updated 2 October 2019]
[https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element][4.8.5_The_iframe_element]
The otherwise steps for iframe or frame elements are as follows:
If the element has no src attribute specified, or its value is the
empty string, let url be the URL "about:blank".

Categories