I'm iframing an external site. That site tries to call location from parent for analytics reasons and access is refused (for obvious default security reasons) .
Yet I would like to disable that security and answer, because that site is a 'friend' but not on the same domain.
Seems impossible to grant that access... any idea ?
I ran into a similar situation before. Allowing for cross domain javascript access through iframes is not possible since this would result in a cross-scripting-attack nightmare. Like the other poster said, you will have to post this data to them yourself. One way to fix this is to set a cookie that can be read by the other domain with whatever information they are looking for then they can read the data from the cookie. Javascript can set to the cookie when you load the other site in the iframe. For a function to do that, check http://phpjs.org/functions/setcookie:509
If the site is a 'friend' as you say - how about passing them the location data yourself?
Related
I use electron 0.36.0 and I have a cookie for a page and this page has a nested frame with a different domain.
I need to somehow keep a cookie alive when going to this frame directly (different domain) and ideally, I want to avoid upgrades of electron (otherwise I would have to rewrite my code).
What's an ideal solution for my situation (it can be also a small workaround)?
Thank you!
Cookies can now be shared with different domains so you will have to find a different way of doing what your trying to do.
For cross domain cookies alcuadrado has described a work around to do this in his post like below:
centralize all cookies in a single domain, let's say cookiemaker.com
when the user makes a request to example.com you redirect him to cookiemaker.com
cookiemaker.com redirects him back to example.com with the information you need
check this answer and this.
I created a small application using Electron ( http://electron.atom.io ). I want to add a feature that automatically logs in people on specific websites, on any type of browser.
The way I though of this is if Electron automatically completes the username and password fields of the website OR it sends an ajax request using the website's window context ( inject himself somehow into the content ).
I know that is possible to achieve this if I create extensions for each browser but it will take too long.
Thank you
The problem you will face is all browsers are set to prevent what is known as cross-site scripting. Basically I can create a frame inside a page or within the same domain and manipulate the dom of this externally sourced frame but I can not do this with a source from another domain.
So scripting across to fill and submit the form won't work which leaves you to trying to send a HTTP GET or POST through AJAX. Which the problem we reach here is that the site you are logging into is likely to check the referring URL to ensure the referrer is from it's own domain. While technically jquery has a method of setting the referrer header, unfortunately the browser resets this header in any cross site transactions for security purposes.
So basically there is no way to accomplish this reliably from a browser side script as the browsers are very restrictive when it comes to security measures. You will be able to login via AJAX to any sites that don't check their referrer header, but other than that you would need an arrangement with the websites your logging into, or use a more unrestricted platform that will allow you to manipulate the DOM cross site or spoof the Referrer Headers.
I figured that I will use the following approach:
I've found where most browsers keep their cookies, so I will upload the cookies there. When the user accesses the browser, it will be automatically logged in.
I am trying to load a a page into an iframe. When that page is loaded i wish to edit the contents of the "pre" tag which is inside the loaded document. The loaded doc is from another domain. I am using : resultframe is the iframe
var atag= document.getElementById("resultframe").contentWindow.document.getElementsByTagName('pre');
atag[0].innerHTML="done";
to access the tag.
problem: there seems to be no effect of this statement. I need to know the correct syntax and also that can i access the elements of pages loaded from different domain. I got the syntax from the web and also some variation of it.
Please suggest.
While JavaScript is limited by cross-domain policies that prevent interaction with another domain, there is one potential workaround as long as you can live with certain limitations.
By using something like PHP and it's cURL library you can grab the contents of a page from just about anywhere (even a secure page or one that requires a login, as long as you have credentials). You can then parse the page, edit what you need to, and display it within your own site. It's important to realize, though, that this is simply your own local copy of the page. You won't have the luxury of actually changing the contents of the page itself.
Another possibility, which would require access to all domains you wish to edit, would be to employ a web service that would accept edits in the form of a PUT request. You can achieve a lot more with a web service, but it would have to be available on all target domains that you wish to make changes to.
In the near future, XMLHttpRequest Level 2 might become a reality and will bring Cross-Origin Resource Sharing (CORS) with it. CORS will allow web applications on one domain to make cross domain AJAX requests to another domain. The target domain will have a header giving express permission to allow requests from another. Potentially, this could be used to send edits to another site.
You can't. Browsers have cross-domain policies, for security reasons.
What if I included the facebook page in an iframe, and I can get all your information because you're always connected to it?
I am creating a bookmarklet that is to be used across a wide range of domains. I wanted to set some cookies to store temporary settings for this bookmarklet, so I assumed that setting a cookie from this script would assign the cookie to the domain of the script's origin.
This was not the case, the bookmarklet is able to assign cookies to the domain of the current site being viewed. This is not suitable for my needs (this would remember settings per domain, rather than for the bookmarklet across all domains).
My question is, is this somehow breaking the cross domain policy? And a follow up question, how can I store cookies for the bookmarklet rather than the correct domain it is used on.
Bookmarklets are running in the context of the current page so that is the security context they run in and thus this doesn't break cross domain policy. You can only set cookies on the current page's domain. Because of this your bookmarklet can't have it's own cookies.
This is the same as scripts that are loaded into a given page from a variety of domains. The origin of the page is what matters, not the origin of the script.
The only way I know of for you to save settings once for your script across all domains would be to use cross domain JSONP and store the settings on your server, but you still may have difficulty identifying a unique user.
It sounds like what you're trying to do would be much more suited to a browser plug-in which has local storage for the plug-in.
It does not break cross domain policy, since it is in fact run on a separate domain (that's the point behind a bookmarklet).
If you want to store cookie information, either make use of a 3rd party service (as in, have your own server with code that accepts cookie changes).
Note that this can be a security issue since every domain would be able to get cookies for your user, unless you make your service write-only (which I doubt).
Then there's another alternative - don't save settings in a cookie. Use a different storage medium instead.
I'm working on an internal tool, and I recall there being some way to make your script prompt for elevated permissions, and if accepted, allowing cross site requests etc...As this is an internal tool, this may accomplish something I need.
Does anyone know how to do this?
To elaborate, I'm actually trying to read (in javascript) the contents of 3rd party tracking iframes injected into our page, to give some performance analytic information. These iframes are obviously from a different domain. If I were to proxy them, they would no longer give accurate information, so that option is out.
I don't think you can actually make your script ask for elevated permission, but you can check for it and ask the user to change his browser security level if needed.
Mozilla.org has an interesting article about configurable security policies : http://www.mozilla.org/projects/security/components/ConfigPolicy.html
If you only need to bypass the same origin policy, you could use other tricks, e.g. a server-side proxy.
For Firefox/Mozilla, I think you mean netscape.security.PrivilegeManager.enablePrivilege() like in this other question.
You'll need the UniversalBrowserRead privilege to allow cross-site AJAX. (I've used it to build a set of local files for a simple stock-ticker page that grabs data from Yahoo's Finance service. The browser asks you (the user) the first time you run the browser on that page whether you want to grant the privilege. You don't have to grant it again until you restart the browser and read the same page again.)