The return value of document.location.href will become javascript:window["contents"] sometimes.
When it will happened? how to avoid it?
I found out
The code is placed in an iframe without src url.
<iframe id="google_ads_iframe_/21202031/LTN-000-03-HOME-120X600-DISPLAY_0" name="google_ads_iframe_/21202031/LTN-000-03-HOME-120X600-DISPLAY_0" width="120" height="600" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" src="javascript:"<html><body style='background:transparent'></body></html>"" style="border: 0px; vertical-align: bottom;"></iframe>
As you already have suspected, this indeed has to do with (I)Frames and more specifically, the way some scripts/libraries work with those frames.
It is a technique to avoid a ReferenceError (in IE) in some cases when loading an external javascript (that is loaded asynchronous) which holds/provides variables/objects that are used in the frame's inline-script-source.
To quote the most relevant part from an article called 'inject content into a new iframe' :
Instead of using document.open/write/close we use the following
approach:
iframe.contentWindow.contents = content;
iframe.src = 'javascript:window["contents"]';
First, we assign the dynamic content to a variable on the iframe’s
window object. Then we invoke it via the javascript: scheme. This not
only renders the HTML properly, but loads and executes the scripts in
the desired order.
This is also in-line with a similar answer on SO.
Hope this helps!
For me I have 3 tabs that open with Internet Explorer ... Yahoo, MSN and my email account. Went to "tools" >Internet Options and removed Yahoo, okay and closed. After I verified that I no longer got the java script error tab I reinstalled Yahoo and that solved the problem.
Related
Setting src directly in iframe is working as expected
I'm trying to embed a Sharepoint document here.
For eg
<iframe src="https://rocketlane123-my.sharepoint.com/personal/lokeshkannan_rocketlane123_onmicrosoft_com/_layouts/15/Doc.aspx?sourcedoc={8822527b-0c56-44f9-8263-40c737db903c}&action=embedview"
width="476px"
height="288px" />
Whereas when I set the src in the script it's failing
<iframe id="x" width="476px" height="288px"></iframe>
<script>
document.getElementById('x').src = "https://rocketlane123-my.sharepoint.com/personal/lokeshkannan_rocketlane123_onmicrosoft_com/_layouts/15/Doc.aspx?sourcedoc={8822527b-0c56-44f9-8263-40c737db903c}&action=embedview";
</script>
This happens explicitly with SharePoint. So I would like to understand a couple of things here.
1. Am I doing something wrong?
2. Is there any CSP headers which block the parent from adding via JS?
3. Is there any official way from SharePoint to allow this?
3. Is there any way to hack this?
Thanks in advance.
Since this happens across chrome, safari and firefox I think it's not a bug in a specific browser.
Trying this in Firefox yields this error message:
To protect your security, login.microsoftonline.com will not allow
Firefox to display the page if another site has embedded it. To see
this page, you need to open it in a new window.
Opening the console gives this message:
The loading of [url] in a frame is denied by “X-Frame-Options“
directive set to “DENY“.
This is a header that's set by login.microsoft.com to disable embedding the link as an iframe.
This link details this design choice: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/sites/cannot-display-sharepoint-pages-in-iframe
The link mentions you can override the behavior by setting 'AllowFraming', though it doesn't recommend it, as there may be site-breaking changes by embedding it.
A guide to use this feature can be found at this link
The problem is in, javascript amp; should not represent as &.
Change your link to
<body>
<iframe id="x" width="476px" height="288px"></iframe>
<script>
document.getElementById('x').src = "https://rocketlane123.sharepoint.com/sites/MyDocsforSP/_layouts/15/Doc.aspx?sourcedoc={6d327004-5d52-4e42-9707-c964631f8e65}&action=embedview";
</script>
</body>
I am basically trying to prevent any custom dialog boxes to be shown in my webpage.
Basically third party ad-networks, which at times may use some malicious code to show alert() to the end user.
I've come across a simple way, to override the alert on the main page:
Window.prototype.alert = function() {console.log("alert prevented!")}
So for a basic html page like this, it works just fine:
<html>
<body>
<script>
Window.prototype.alert = function() {console.log("an alert was averted");}
</script>
<div>
<a onclick="alert(1)"> This is an alert inside the body</a>
</div>
</body>
</html>
But introduce an iframe in the picture, and the alert within the iframe would pop-up.
What I still want to achieve is, if there is an <iframe> or anything similar HTML component, which basically would create a separate window, should also not be allowed to display any alert().
I'm not quite sure if this is possible, but still any suggestions?
It is probably not possible for old browsers, but newer browsers honor the sandbox attribute in iframe. “Newer” means IE 10 or newer or any reasonable new version of Chrome or Firefox. See support details.
For example, if you wish to disallow popups only, use this:
<iframe src=foo.html sandbox=
"allow-forms allow-pointer-lock allow-same-origin
allow-scripts allow-top-navigation."></iframe>
Here I have listed all the possible values that this attribute value may contain except allow-popups, so that’s the only feature that will be disabled by the attribute.
ExpressionEngine seems to be stripping some of the parameters from the source URL of an iframe. This is happening in the browser, not on the server.
When I view the HTML source for the page in question, the iframe source is correct. When I view it in the console, it is not the same as in the HTML source.
The elements console shows:
<iframe frameborder="0" height="166" scrolling="no" src="http://w.soundcloud.com/player/?wmode=transparent" width="100%"></iframe>
The HTML source shows:
<iframe frameborder="0" height="166" scrolling="no" src="http://w.soundcloud.com/player/?url=http%3A//api.soundcloud.com/tracks/112438993&color=ff6600&auto_play=false&show_artwork=true" width="100%"></iframe></div>
If I manually change the source in the browser's elements console, the iframe loads without problem.
I'm imagining there is some javascript that is stripping out the src, but I can't find it. I've searched and searched using Google for someone experiencing the same problem, without success.
The URL in question is: http://rebelnoise.com/articles/album-debut-in-december-for-irish-garage-popsters-dott
This happens for all soundcloud and spotify links.
Spotify Example: http://rebelnoise.com/articles/black-flags-what-the-the-bands-first-album-of-new-material-since-1985
Thanks!
EDIT:
On a hunch, I tried changing the source URL from https:// to just // --- still no luck.
I noticed that the wmode=transparent query string exists in the console, and not in the source... I wondered if a Javascript function was overwriting with the transparent query string, so tried adding that to my full URL as follows:
<iframe frameborder="0" height="166" scrolling="no" src="//w.soundcloud.com/player/?wmode=transparent&url=//api.soundcloud.com/tracks/112438993&color=ff6600&auto_play=false&show_artwork=true" width="100%"></iframe>
Interesting: I tried saving the entire page and resources to my Desktop, and running it that way-- everything seems to work, so I'm very perplexed.
I am closer to finding the problem-- it appears that wmode=transparent is being added to src all throughout the DOM, so I am wondering if some dummy added bad javascript code in the past to break this site and cause all this problem. Now to find the culprit code!
OK, I feel like a dunce- should have found the pattern sooner.
There was some code in the footer that added wmode=transparent to all the src files-- it didn't append to any queries that existed, it just replaced them with a new query string.
I removed that code, and everything is now working.
Explanation of problem in full below, you could probably just skip to the code at the bottom if you want.
What happened is a impatient client wanted his swf banners converted to html5 without having to actually code them from scratch. So i utilized Google's new tool, Swiffy. I then tried to place this new generated html5 page in the header of the clients wordpress site. I have gotten it to load as an iframe but the problem that I am encountering is when you click on a link on the loaded html5 page, it just loads the linked page in the iframe, not the parent page/window (which is to be expected). I tried a bunch of other methods, and tried changing the AS2 links in the .fla as well but no luck. I am guessing Swiffy can not read every AS2 code, and so it has been ignoring my "_blank", "_parent" when I use getURL. Anyway, I have been trying to get it so when the iframe unloads to go to the linked page, it uses Java to just open the link on the parent page. But iframes cant use the onunload event, but I am pretty sure framesets can. So this is the code I was trying and it doesnt work.
<frameset rows="100%" onunload="window.open('http://www.goaefis.com/about-aefis/what-is-aefis/','_parent');">
<frame src="www.goaefis.com/banner_Test.html" frameborder="0" scrolling="no" />
</frameset>
Any help will be super appreciated.
try to use the "target" on your frames.
Here's a example:
http://www.w3.org/TR/html4/present/frames.html
I'm experiencing rather strange behaviour in IE9 when loading a PDF in a frame with Javascript. The document will load once, but any subsequent invocation will result in SCRIPT65535: Invalid calling object.
I'm constructing my URL from Javascript and loading through top.framename.location.href='file1.pdf'. If you start with a PDF in the frame, it will fire the error upon the first invocation of the script.
So, it appears you are no longer allowed to modify the location.href property of a frame in which the Adobe Reader plugin (version 10) is loaded. The same code with HTML documents works fine.
Does anybody know why this behaviour was changed, and if there is a workaround other than using IE8 emulation with <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8">?
I'm also not looking for workarounds that completely avoid the Javascript. There are numerous options, like constructing the link elsewhere and loading it with a target attribute, but I'd really like to do this with Javascript.
If you want to test/reproduce, you can use:
<frameset cols="150,*">
<frame src="toc.html"/>
<frame src="about:blank" name="otherframe"/>
</frameset>
and in toc.html:
<a onclick="javascript:top.otherframe.location.href='1.pdf'">pdf1</a><br/>
<a onclick="javascript:top.otherframe.location.href='2.pdf'">pdf2</a>
Take a look here:
http://forum.jquery.com/topic/internet-explorer-9-jquery-and-divx
When I go to IE9 developer tools (F12) and under Script tab, click on
Start debugging button, I get details about the error: SCRIPT65535:
Invalid calling object script block (2), line 72 character 4
When you look at the script line 72, this line is highlighted:
appendChildOriginal(element);
Then I go to IE9, Manage add-ons, under Toolbars and Extensions, look
for Divx, LLC and disable Divx Plus Web Player HTML5 and DivX HiQ and
restart IE9 Browser.
The error is gone and my web application work perfectly.
Had the same problem.
In IE9, the frame object is replaced by some PDF object that doesn't contain the location property. So the second time you cannot update the frame url with location.
You can solve this by using window.open()
window.open('1.pdf', 'otherframe');