I am launching a pop up window using javascript. This is a security question regarding cross domain messaging between a pop up window and its parent window using javascript "postMessage()".
The html file for the pop up window resides on AWS. The parent window sits on a different domain.
So, a user visits the parent window, and on button click, the pop up window is launched from AWS. Then, the pop up window communicates with the parent window via "postMessage()".
In the parent window, I set the domain to receive messages only from this url: https://s3.amazonaws.com like so:
if(e.origin != 'https://s3.amazonaws.com') {
return;
}
If you can answer any of these questions, it would be helpful. Thank you very much. Does this mean all files from this url will be able to send messages to my parent window? Is this a security risk? Is there a way to specify that messages should only be accepted if they originate from my specific HTML file on AWS? Should I try to host the pop up html file on an internal server that is owned and maintained by my employer?
Thank you.
Yes, the message event can listen for messages from different browsing contexts. It is the prerogative and responsibility of the developer to provide adequate checks as to the origin of the message and specific values of the message which should be expected.
One option is to set the name of the opened window to a unique string, pass the name to window.opener and check if the name is equal to the unique name provided to window.open()
Related
I am writing a plugin for wordpress, and I provide a way for users to log in to my service, when they click on log in a popup opens with the service's website (which is on a different url than the wordpress blog).
So to avoid cross domain errors, I use postMessage This works great but the second argument of postmessage is the domain name of the website to send the data to.
I did a lot of research and all the examples seem to hardcode the domain name directly into it, but since it's a wordpress plugin, any domain can go there.
So I want to get the domain name of the parent window (the one who opened the popup).
I noticed that firefox manages to extract the url
when using the developer tools but I can't seem to manage to do it myself as almost all the properties are restricted.
So how can I get the url/domain name of the parent window for my popup?
The Same Origin Policy forbids JavaScript access to the location of a page on a different origin.
However, from the documentation you link to:
targetOrigin
Specifies what the origin of targetWindow must be for the event to be dispatched, either as the literal string "*" (indicating no preference) or as a URI.
If you want to limit message reading to a selection of origins (without making it public), then you could try to post a message to each in turn, or you could have the parent send its origin to the child (either through postMessage — although that has issues with timing, since you have to wait for the new page to load — or by simply passing it in the query string when requesting the page.
Pass it to your login page via query string added to the end of your service's website that opens your pop up.
Example:
var myservice = 'myservice.com?'+window.location.href;
Then from your site you get the parts you need and create a variable and substitute that for the hard coded address.
Getting the parts:
var prot = window.location.protocol;
var dom = window.location.host;
var path = window.location.pathname;
var qry = window.location.search;
document.getElementById("demo").innerHTML = dom + path + qry;
I currently have a form that is being iFramed into an application that acts as a search bar. When users hit enter in this search, the form redirects the parent window to a different URL within the application. Note that these have the same domain, but different sub-domains. This part works well. See the code below.
window.parent.location = redirectUrl;
The issue is that I have a customer who is iFraming this application into another application. When they go to perform this search in this scenario, we are getting an error that says that "the frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener."
Is there a workaround around for getting this to work?
The browsers would typically disallow that if the domain is different.
You might be able to set response headers to tell the browser to allow the request to go through:
Access-Control-Allow-Origin: http://example.com
See below:
http://www.staticapps.org/articles/cross-domain-requests-with-cors
You're accessing the window object which, being on a different domain, is restricted by cross origin policy.
You could look at accessing the parent document directly, going up from the active frame, rather than going down from the top (window)
Credit for the image and decent reference
http://eligeske.com/jquery/what-is-the-difference-between-document-and-window-objects-2/
I've been working on some sort of 'remote controller' window where the child window loads the selling configuration from the parent and after changing the selling configuration and pressing the 'apply' button, the selling configuration is sent back to the parent window.
After googling, I found out that data exchange between the parent and child is available only if both windows are opened under the same http:// domain.(I believe this is because of the unique SSL that every server has.)
then, here's my question: is there anyway that I can exchange data between parent and child window when two windows have different domain?
more details on the situation that I'm stuck on:
I'm trying to make a child window that will allow me to select which metal ores to sell in a petty web game called 'Mr.mine'(mrmine.com)
with the chrome javascript console, I've managed to have some control over the game where I can create such loops that will to the selling instead for me
Originally, if I were to select which ores were to sold, I would have had to manually change an array called 'sellorder' from the java console. This turned out to be quite confusing and frustrating so I wanted to create a child window where I could configure my selling decisions with a much simpler and easy to understand layout.
I succeeded in making such a child window in my github repository and I have confirmed successful data exchange between the parent and child window which are both located in the same github repository.
parent code:
var sellorder=[....] // has some value..
// some codes in between...
function sell(){
var url="https://rawgithub.com/kwagjj/mrmine-macro/master/initializing/sell_window_ver1.0.html"
var w=window.open(url,"sell_window","width=300,height=450");
}
child code:
var loadarray;
window.onload=function(){
loadarray=window.opener.sellorder;}
// ... after some operations..
window.opener.sellorder=loadarray;
Then I tried to implement this child window popup code into mr.mine.
It turned out to be a failure. And I think this is because in this case, the parent and child window doesn't share the same http:// domain.
So this is my situation. If there isn't a direct way of exchanging data between the two windows, I would like to hear any other way to even bypass this problem.
"with the chrome javascript console" (sic) you can also add some javascript to your page (or use an extension like greasemonkey for custom scripting).
On your game add a script with a setInterval function that will call with your server every x seconds. And get the json encoded data of the configuration
On the other side, when validating your configuration, it will use Ajax to store information on your server (i.e. in a file)
To sum up :
In your parent windows, when you modify your configuration, an Ajax call is made to save the new config json encoded in a file on your server
In your child windows with the console (if no reload) or with a userscript extension (like GreaseMonkey) you add a setInterval javascript to load the array from the file on your server.
PS: This is theorical and not an invitation to cheat on a game you like.
I open a new window to a Google docs presentation using the method window.open :
NewWindow = window.open("https://docs.google.com/presentation/d/1Qs9......");
I want to retrieve that url in order to know of it has changed (each slide of the presentation has a different url and i want to see if the user changed slides), using NewWindow.location.href
All i get is an undefined value. I can change href though
NewWindow.location.href ="http://www.google.com"; //works
I've read that if you are not in the same domain, you are not allowed to access the href or any other properties on the remote window.
Isn't there any other way to do it?
Thanks in advance.
There is a workaround but not in JavaScript.
The standard solution is to map the documents into your own domain using a proxy server that runs hidden under some URL of your own domain.
That way, you can access the documents via https://your.doma.in/google/presentation/...
A word of warning: If you make a mistake with configuring the proxy, crackers can abuse it to do nasty things (like trying to hack Google or send spam; the police will come knocking on your door).
I have a form post method, which is used to show a new page. Its done this way so that the arguments used cannot be seen in the location bar.
Each window is given a unique name, but I want to be able to detect if this browser window is already open, so that calling this form again will not force that current browser window to auto-fresh.
Any suggestions?
I assume you're opening new windows in Javascript. So, assign a variable name to your new window (e.g. var newWin1 = window.open(...))
Then test to see if the document of your window exists:
if(newWin1.document) { alert("Window is open!"); }
else { alert("Window is gone!"); }
For a security note: people can still see the post data you're sending with any HTTP header tool. Check out LiveHTTPHeaders for Firefox (or a million others) to see what I mean.
Another note: Not sure what you're doing, but people don't like when a webpage does things without them asking it to (like opening windows). You may want to consider improving your design to a more user-friendly method.