Cross Origin XMLHttpRequest iFrame "Mini Browser" - javascript

Is it possible to get around the security and mimick either a full-browser or mobile browser within a webpage?
I had an idea to set the HTML manually, using an AJAX/XMLHttpRequest ("Get" request)
document.querySelector('#myiframe').contentWindow.document.write("<html><body>Hello
world</body></html>");
(from How to set HTML content into an iframe)
Can anyone verify this is possible? I'm guessing you would lose relevant site date (cookies, cache, etc)

Is it possible to get around the security
Yes, many browsers let you start them in a security-off mode, e.g. on chrome you run the program with the --disable-web-security flag. However, you should never ask a client to do this.
An alternative way would be to write a Java applet, or some other third-party plugin, which fetches the resources you want and then passes it over to the browser with your favourite method, from which you can use JavaScript on the data as desired. This method would lose things like cookies, and might be exploitable so I wouldn't recommend it.
mimick either a full-browser or mobile browser within a webpage?
Finally, if you don't mind the "URL bar" displaying the wrong thing when a user navigates, you could just use the default behaviour. This method is totally acceptable and doesn't circumvent any security.

Related

how to code for users with disabled cookies and popups

Here's the situation: I'm redesigning our company's public facing website using ASP.NET, VB.NET and some javascript/jquery. Some of the features I'm adding require page reloads (which register as popups) and cookies. Works great if everything is enabled. But I've noticed on some browsers (such as Firefox) I still get prompted to ok these actions, retain these cookies, etc. Now I can code some contingencies for simpler pages for users who will not or can not enable these features, but I'd like to find a way to make it as simple as possible to enable the full features. From what I've read, there's no way I can actually force it to happen the way you can force a browsers document mode by settings in the web.config file, but I am hoping there is some way to give them a button to click (or something similar) where it will enable what I need. Is there a way to do this programmatically? what I'm looking for is some code that will make the changes, instead of directing them to go into e.g. Internet Explorer security settings, which most end users find tedious if not incomprehensible.
Advice?
You can avoid using cookies. Use Session or a database backend for things you would normally use cookies for. For popups, use overlaid divs such as Ajax Control Toolkit Modal Popup Extender or jQuery UI Dialog instead of starting a new browser window.
But really, ASP.NET is designed to function with cookies. If you're users aren't using them, tell them they're penalizing themselves.
Certain browser features are ONLY user-configurable for security reasons. You cannot provide a button to change these settings because they would then not user-configurable.
All you can do is warn the user.
JavaScript cannot change a client browser's setting due to security reason. Otherwise, all hell will break loose.
Note: you can if you create an executable program, and a user runs on his/her computer.
However, you should never change a user's browser setting.
Instead you should give the warning and instruction to a user which is a proper way of doing it.
Disable Javascript
Disable Cookie

accessing elements of a child window via javascript in a parent window across domain AND protocol

I'm building an automation tool at work, and I've hit a bit of a snag... The task is to automate the laborious process of navigating a large web-based GUI which sends queries to a database based on the values entered in various fields. We do not have access to the database itself or the server on which the web-GUI is located. Furthermore, the protocol for the web-GUI is https. Is there any way to have javascript open the web-GUI in a new window and then act on it [clicking buttons, reading returned text strings etc.]? The implementation doesn't have to be javascript (autoIT would do the same job much more easily) but I am curious as to how the access denied errors might be overcome. I have read about certain workarounds, but none of them went so far as to actually attempt to interact with elements of the cross-domain document. I have also discovered easyXDM, but it doesn't solve the protocol discrepancy, and I'm not certain it would work for my situation anyway. Any input would be appreciated!
thanks,
CCJ
You are not going to be able to do cross domain because of the same origin policy.
Sounds like you should do something with greasemonkey or with selenium to automate it.

Fetching all the urls opened in the browser

I know that getRequestURL will fetch me the URL of the page being opened.
I need to know how to get the URLs of all the tabs opened in the browser say firefox.
Is there anyway to achieve this?
This is not possible to do from a regular web page as it would be a serious security issue.
However, it is possible with browser extensions (for example, in Chrome there is a chrome.tabs.getAllInWindow() function available to plugins, and accessing their urls is simply a matter of looping through the tabs returned by that function and reading the .url property. See further documentation here).
From your own web page you should not be able to achieve this, as that would be a breach of the sandboxing these browsers attempt to enforce between tabs. If you launched the other windows via javascript, you may be able to control their content, but only under this circumstance.
You could feasibly write a plugin to run in the browser, but obviously the client would have to install/trust this for it to work.

implement a callback between two sites - communicating between two sites

I have a web app in http://domain1/app1/called.html, and I want to embed that application inside http://domain2/app2/caller.html with an iframe (or a popup, it's the same)
the user should be able to interact with called.html, until they press a certain button, in that case I need to tell caller.html that the user selected an item from called.html
I tried implementing it with javascript.
in called.html I encode the data in json, and then I execute a "called_callback" javascript function in caller.html, passing the json as a parameter.
if called.html was called with a popup, I issue window.opener.called_callback( jsonData ), if it's an iframe I just issue parent.called_callback( jsonData )
having caller.html and called.html in the same domain everything works fine, but from different domains I get the following errors:
permission denied (on IE6)
and
Unsafe JavaScript attempt to access frame with URL [..]/caller.html from frame with URL [...]called.html. Domains, protocols and ports must match. (on google chrome)
Is it possible to overcome this limitation?
What other way of achieving it can you think of???
I guess caller.html could implement a web service, and I could send the result calling it, but the page caller.html would have to poll in order to detect any change...
So how can one application communicate with another one in a different domain to signal an event???
You can use JSONP to call resources from one domain to another.
You can use window.name as ~2Mb text transfer between cross domain frames for older browser.
Or for modern browser you can use window.postMessage to communicate string data between the 2 frames.
But you need some cooperation from the domains for these techniques to work.
You should look into using JSONP. It is fully supported in jQuery if you are using that particular framework. It allows you to use JSON across domains.
Thanks to both answer I found the following:
http://benalman.com/code/projects/jquery-postmessage/docs/files/jquery-ba-postmessage-js.html
http://benalman.com/projects/jquery-postmessage-plugin/
jQuery postMessage enables simple and
easy window.postMessage communication
in browsers that support it (FF3,
Safari 4, IE8), while falling back to
a document.location.hash communication
method for all other browsers (IE6,
IE7, Opera).
With the addition of the
window.postMessage method, JavaScript
finally has a fantastic means for
cross-domain frame communication.
Unfortunately, this method isn’t
supported in all browsers. One example
where this plugin is useful is when a
child Iframe needs to tell its parent
that its contents have resized.
I'll have a look at it...
here's a very complete document that analizes the different approaches...
http://softwareas.com/cross-domain-communication-with-iframes
another solution to have a look at
http://easyxdm.net/
with a sample
http://easyxdm.net/wp/2010/03/17/setting-up-your-first-socket/

How to get iframe's URL in javascript?

Getting directly the current iframe's URL, in javascript, is not possible due to security restriction.
Is there a way to override this restriction?
Using ActiveX control?
Changing the browser's security options?
Using HTML5?
Using flash?
Using server side scripting?
Getting directly the current iframe's URL, in javascript, is not possible due to security restriction
If you mean cross-domain IFrames, and you have no way of controlling the inlying page, then this is correct.
As far as I know, no, there is no way to get around this.
The only way I can think of - and you don't want to go down that road - is proxying every page inside the iframe through a local server script, rewriting every link and action within each page to go through the proxy, too. But that is hugely difficult, comes with a shitload of things to be aware of, and is not a real option - many modern sites will simply break if proxied that way.
As I understand it if you have no control of the frame you are not supposed to know what is going on in this frame. So, knowing it would be a security bug and should be fixed. Browsers are designed to not allow the page spy on what you are doing in another page.
If you have control over iFrame there are some options for you
There is a discussion here:
How do I get the current location of an iframe?
basically
var iframe = document.getElementById('loader').src
You can actually get the location if iframe is located at the same server. If it is located at a different server the only way to go is to rewrite URLs like some sites do. It is not easy to do though
You can also do HTML5 cross-window communication:
http://ajaxian.com/archives/cross-window-messaging-with-html-5-postmessage

Categories