Here is the scenario:
I have a container page that swaps iFrames in and out to show different content. All iFrames come from the same domain. https is enabled.
The container page has an object called Flow, with functions set/getParameter
The first iFrame, s0-welcome, creates an object, data, and calls Flow.setParameter('data', data);
The container then replaces the first iFrame with a second iFrame, s1-transfer.
The s1-transfer calls Flow.getParameter('data') and stores it in a local variable s1data
In the IE9 debug tools console, if I type s1data it shows me all the properties of that object. However, if I call s1data.hasOwnProperty('prop1'), I get a "Can't execute code from a freed script" error. If I call Object.prototype.hasOwnProperty.call(s1data, "prop1"), everything works fine.
It looks to me that there can be 2 possibilities:
1) Container page holds on to the reference from the first iFrame, but when the first iFrame gets disposed, it loses some of the data. This seems unlikely since the only thing I can't access is functions
2) There is a security restriction that does not allow one iFrame to run code related to another iFrame even if both iFrames are from the same domain.
Any thoughts?
Just ran into a similar issue. For me, simply changing s1data.hasOwnProperty('prop1') into ('prop' in s1data) made the error go away.
Related
In the following code
browser.runtime.getBackgroundPage().then(bgp=>{
document.querySelector("button").addEventListener("click", e=>{
alert(bgp);
});
});
bgp turns out to be null. I searched around and suggestions are most of the time for Chrome extensions, suggesting adding a "background" permission, which is not valid for Firefox. I also tried adding a background page explicitly, although one should be always created for me but it did not work either.
runtime.getBackgroundPage() provides access to the background script, not an HTML document.
This provides a convenient way for other privileged extension scripts
to get direct access to the background script's scope. This enables
them to access variables or call functions defined in that scope.
"Privileged script" here includes scripts running in options pages, or
scripts running in browser action or page action popups, but does not
include content scripts.
For example, the following code logs <unavailable> to the console.
browser.runtime.getBackgroundPage().then(bg => console.log(bg));
The window object can be seen in the debug console.
I have set up an Articulate Storyline course (a Flash version accessed using the page "story.html" and an HTML5 version accessed using "story_html5.html"). It works fine when run directly, however, when I try to run everything in an iframe on the company server (linking to the course files on my personal server) I get JavaScript errors:
The course uses player.GetVar("HTML5spelaren") to access a variable called HTML5spelaren, which is located on the story_html5.html page itself. When running in an iframe I get a "Permission denied to access property 'HTML5spelaren'".
Finally the course uses the JavaScript var newWin=document.window.open("report.html", "Kursintyg"); to display a course completion certificate in a new window. When running in an iframe however this results in a "Permission denied to access property 'open'".
Is there a way to rewrite the JavaScripts to get around this? I need to be able to detect if the course is running in Flash or HTML5 mode (that's what I use the variable in story_html5.html for), as well as being able to use JavaScript to open a new page from within the iframe when clicking on a link.
Page structure:
https://dl.dropboxusercontent.com/u/11131031/pagestructure.png
/Andreas
There's a way for different domains to speak to one another via javascript. You can use postMessage: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
In your case, in story.html or story_html5.html could use something like:
parent.postMessage(HTML5spelaren, parent_domain);
and you add an event listener in the company page:
window.addEventListener("message", receiveMessage, false);
And in receiveMessage function you retrieve the data that you need. Something like:
function receiveMessage(event){
your_variable = event.data
}
Same logic can be probably be applied to your popup.
You can post from child to parent or from parent to child.
My guess is that content you're linking to in the iFrame is on a different server/domain. If so, the error is a security feature to stop cross-site scripting (XSS) attacks.
Consider putting both the parent iFrame and the articulate content (child) on the same server. This should eliminate the problem.
I am loading a remote page with an iframe in node-webkit app.
I would like to run a function from the node.js app from the webpage.
In app.js i have
var xxx = function(){ console.log('test'); }
and in http://www.test.com/index.html i have tried:
window.xxx();
xxx();
global.xxx();
But nothing seems to work.
How can i do that?
Many thanks
If I understand correctly, you want to access a function that's defined in the remote page that you are including as an iframe in your current page, right?
There are two separate issue here, I think.
First, you need to have a handle on the iframe, then access that window's environment through the 'contentWindow' property of the iframe dom element, i.e. given an iframe with id foo, that points to a page with a function named bar, you could do this:
x = document.getElementById('foo');
x.bar();
This works fine for me with a local page, but the other issue is that you might find some difficulty with running a remote page in an iframe and still having access. If it's a page under your control, that might work, but some pages don't like to be run in iframes, so then you have to sandbox to some extent, which may interfere with your ability to access it in this way. It's been a while since I played with sandboxing, so I'm not sure, but if it's a page you control, you should be able to set it up so it's not a problem.
I'm opening a popup and want to have a click action in it cause the execution of some jQuery in the page that opened it. Everything I find online says I should be able to do that with window.opener, (e.g. JQuery - Write to opener window)
But when I console.log window.opener, it's just 'true', not a real object. window.opener.jQuery is undefined as is window.opener.$ and 'window.opener.document'.
Here's the window open code:
window.open('http://google.com' , "moderatorWindow", 'width=300, height=300');
This is in Safari. Other pages are able to launch a popup and when I inspect window.opener on those, I get a real object. What am I doing wrong?
Your variable is true and not an object because of same-domain policy rules. Just like an iframe, if the popup you open is not on the same domain or sub-domain then it is lost to you after you create it. The web would be a very unsecure place if I could say, open a (hidden) iframe on my site to gmail.com and was able to read your email.
Even if the popup is on a sub-domain you have to do extra work and set the document.domain value of both windows to the root domain (eg. mydomain.com). This is to ensure that the popped-up site wants to be known to its parent (again, think security, if my coke.ning.com community could open a hidden iframe to your pepsi.ning.com and do brute force attempts at a login, etc.)
To prove my point try actually going to google.com and opening up Firebug (or Inspector if you're using Safari or Chrome) and doing:
var bob = window.open('http://google.com' , "moderatorWindow", 'width=300, height=300');
bob.window.location.href; // returns "http://www.google.com/"
Lastly, feel free to call jQuery on the child page to modify elements on the same page and vice-versa but you can't use jQuery from one page to modify the dom of the other page. I tried this a few years ago to try to save on some loading time and, unless something has changed, it doesn't work. jQuery seems to be bound to the window object of where it was created. Weird things happen.
Presumably you are calling:
console.log(window.opener);
which should call the toString() method of whatever window.opener references. It should reference a window object, which is a host object. Per the ECMA-262, a host object's toString() method (if it has one) can return anthing it likes, even throw an error (try it on certain IE host objects implemented using ActiveX).
This article might help: http://developer.apple.com/library/safari/#documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/Cross-documentmessaging.html
I've read several of the questions on this but am still a little confused.
For example: OK, I can't post examples because of hyperlink limitations
Here is my exact situation.
I have a site at mydomain.com
One of the pages has an iframe to another page at sub.mydomain.com
I am trying to prepare an onload script that if the page is not in an iframe or the parent domain of the page containing the iframe is not mydomain.com then redirect to mydomain.com.
After the initial permission issues I realised the problem with sub domains counting as separate domains.
One of the posts above says that "could each use either foo.mydomain.com or just mydomain.com"
So I tried (for testing):
onload="document.domain='mydomain.com';alert(parent.location.href);"
This produced the error (http replaced with lar
Error: Permission denied for <http://sub.mydomain.net> (document.domain=<http://mydomain.net>) to get property Location.href from <http://mydomain.net> (document.domain has not been set).
Source File: http://sub.mydomain.net/?pageID=1&framed=1
Line: 1
Removing the alert produces no errors.
Maybe I am going about this the wrong way since I do not need to interact with the parent just read its domain if there is one.
A nice simple top.domain. For read only there must be a way so that people can prevent their own pages being used within other people's sites.
You can't (easily) do this because of security restrictions.
This answer from #2771397 might point you in the right direction.
OK, while looking at the error console I still had open when I got home a wee lightbulb lit up. I am pretty new to javascript (can you tell ;) but I thought "If it has try/catch"...
well here is a hack at least to get the name of the top domain and an example of how I will use it in my site to show content only if the page is a frame in the correct domain.
Firstly the header will have the following partially PHP generated function:
function getParentDomain()
{
try
{
var wibble=top.location.href;
}
catch(err)
{
if (err.message.indexOf('http://mydomain.com')!=-1)
{
createCookie('IAmAWomble','value')
}
}
}
Basically the value will be something based on the PHP session I think. This will be executed at page load.
If the page is not within the proper site or if javascript is not enabled then the cookie will not be created.
PHP will then attempt to read the correct value from the cookie and show the content or an error message as appropriate.
I do see a slight flaw in this for first visit since page load will run after PHP has generated the content but I'm sure I can work around this somehow. I thought I'd post because this is at least what I was initially asking for and that is a way to read the URL of a parent site if it is in a different domain to the site in the frame.
IIUC you want to use the window.parent attribute: “A reference to the parent of the current window or subframe.”
Assumably, window.parent.document.location.host contains the container page URL domain name.