open "non-secure" blank window from a secure page - javascript

I'm using the following code to open a blank window from a "secure" page:
$('#previewTemplate').click(function () {
var preview = window.open('', 'PreviewTemplate', 'width=800,height=400,scrollbars=1');
var html = '<html><head><title>Preview</title></head><body>' + $("#textbox").val() + '</body></html>';
preview.document.open("text/html", "replace"); preview.document.write(html); preview.document.close(); return false;
});
The blank window is opening as a secure page (preview.document.location.protocol="https:") so IE is barking about the mixed content because I have a non-secure image in the page. I'm trying to open up the blank window as a non-secure window. Trying to change the location.protocol to "http:" or location.port to 80 doesn't seem to work. Is it possible to open up a blank "non-secure" window from within a secure page?

If the main window was https and the child window was http, the same origin policy would prevent the two from communicating with each other. i.e. those calls to preview.document.open would never work.
Three options:
host the image from the same https
domain as the parent window.
Instead of dynamically writing to the child window, just host a page on
the same server as the image. Even
if you can only put static html there
for whatever reason, some basic
javascript could be used to read the
url's query string and get the value
of textbox.
Read up on window.postMessage. Only works
in more modern browsers though.

Related

passing message with postMessage() in cross origin manner

I am developing a chrome extension, in which I am working on two windows. The second window has been opened by the first window, through JavaScript. What I want to do is, to get the URL of the window opened by the first window. I have tried some methods, like using cookies, local Storage but I failed because of the cross origin policy. Now I came to know after a tutorial on postMessage() API of JavaScript that it overcomes the policy of cross origin. What I am doing is, I am accessing the URL from my localhost, and trying to get the URL of any other site, or possible I can get a simple message from that, but its not working for me as well. As I am not even getting any error and not even a warning. My goal is to get the URL, after when the child window loads. I will require on load function, so that I can check when the window is loaded right after it send me the message to my current window where it has been opened from.
My Code
var win = window.open('https://javascript.info/','_blank');
win.focus();
win.postMessage('The URL of the window is : ' + document.URL,'http://localhost.com/ext_files/index.php');
window.addEventListener("message", function(event) {
if (event.origin != 'https://javascript.info/') {
// something from an unknown domain, let's ignore it
return;
}
alert(event.data);
});

Cross Origin - window popup (window.opener is null)

What i wanted to do:
From parent window on user click open new window source is Third Party URL (different domain)
User Authenticate in Popup and then Third party submit success data on Redirect page. (Like Twitter)
From Child Window (PopUpWindow) i have to send data back to Parent window.
what i did
var windowReference= window.open('https://ThirdPartyURL', 'CrossDomain', 'width=840,scrollbars=yes,top=0');
window.parentMethod= function (input) {alert(input)}
window gets open in new window User gets authenticate and get returned data on Redirect Page
on Redirect page (child window)
window.opener.parentMethod(response);
in Firefox its working but in IE
window.opener null . Reason is cross domain . if Third party URL is in current domain then it works fine but if its cross domain windowReference gets null
to get it working i have to change Internet Settings->Security->Check Enabled
its almost impossible to do at every client machine.
i have tried to used Postmessage but it has support for IE10 and in IE8 and 9 it has support for Iframe where as in my case Third party has disabled IFRAME embedding.
can some one help me how to over come this issue . any help will be appreciated
Short answer: you can't. The cross origin policy has as a reason exactly not allowing you to do what you want (the so another site won't run js on yours and the other way around).
To get around that you need to find another way to send data (usually server side -> curl requests).

change iframe height while the child is from onother domain

I am using Facebook apps, and Facebook apps requires to put your application in an iFrame,
everything is going fine except than that the height if the iframe the create is static and i want to change the height of the iFrame,
i tried the following :
jQuery(parent.document.body.getElementsByTagName('iframe')).load(function() {
this.style.height =
this.contentWindow.document.body.offsetHeight + 'px';
});
but when trying to access the parent document
parent.document
an error occurs
Unsafe JavaScript attempt to access frame with URL
http://www.facebook.com/somthing/app_100550322222338 from frame with URL
http://z.me/facebook/whatsnew. Domains, protocols and ports must match.
is there any other solutions ??
There is no client script solution, as the page and the iframe comes from different domains.
If you set up a proxy page on your server that fetches the facebook page, they would appear to the browser to come from the same domain, so then the script would work.

Javascript cross domain problem

Our website gives a widget to be installed in pages (a piece of Javascript that writes an iframe element and inside it renders things and you see rss, images, and other stuff).
I need, after the user do some stuff, to redirect the page (where the widget is) to another location, but using top.document.location is forbidden since the page and the iframe generated by the widget are in different location, and using window.open is usually blocked by popup blockers.
How can i do it ?
Try:
window.location.href = "url";
Although reading properties from the top window is disallowed, some of them are open to writing - and one of these are location.
Simply do
top.location = "http://foo/bar";
and it will redirect just fine.

is window.open("", ... impossible with firefox?

In firefox I have opened a locally stored file with the file:// protocol
(file:///c:/temp/foo.html)
foo.html contains Java Script which (among others) is supposed a new
window without URL:
var new_window = window.open("","", "height=100,left=50,width=200");
When this line is reached, Firefox displays this "Firefox prevented this site from opening a pop-up window". I don't understand why Firefox gives this warning, obviously, the file (foo.html) is under my control (since it's stored locally and I have opened it with the file:// protocol, and, additionally, the window to be opened doesn't point to any file that could contain any sensitive data, as the url parameter in the open method is set to "".
But besides all this, it seems I can't even force or allow firefox to open the window anyway. There's this "options" button on the yellow "Firefox prev...." bar which supposedly should allow to create exceptions, yet I can't.
So, the question basically boils down to: how can I allow a local html file to open an empty window with Javascript within Firefox.
Thanks / Rene
This is a Firefox security precaution, see this link:
http://kb.mozillazine.org/Links_to_local_pages_don't_work
However, it looks like this extension will allow you to override it:
https://addons.mozilla.org/en-US/firefox/addon/281
This is the popup blocker, which block popups not opened by an explicit user action like a click.
You cannot force it to open the popup, you need to allow Firefox to open it.
I suggest you to test the new_window variable to see if it is null. In this case, display a message to the user so that he allows the domain to open popup windows.

Categories