In my application i am getting the content of some other domain's page. Along with the content it is running the javascript associated with the particular page. In the javascript code "document.selection.createRange()" is written which is throwing exception at run time in IE (since in IE due to security concern you can't change iframe's data or the reverse).
So my question is how to suppress the exception.
Thanks in advance :)
You can do this in jQuery by using a load with a page fragment.
If .load() is called with a selector expression appended to the URL,
however, the scripts are stripped out prior to the DOM being updated,
and thus are not executed
Be aware though that this will only work if the other domain allows your domain access via CORS http headers.
Related
Is there a way to block a particular line of code from being executed within a third-party website, appearing within an iFrame?
I have an embedded widget which is loading JQuery within the iFrame. I don't need the extra network request, because my site is already loading JQuery.
If I can block only one line of code (in this case, line 77) then I can prevent JQuery from being loaded again.
I imagine this action would take place prior to the iFrame being rendered.
The same-origin policy prevents you from touching any part of an iframe for a third-party website, so there's nothing you can directly do to prevent that request from being sent out. Even if you could, the iframe and your website have no shared state, so the other website will most likely break because it has no way to access your instance of jQuery. Think of what would happen if you loaded the third-party website in a new tab but blocked the request.
There are, however, a few things you can do to ensure the browser uses a cached copy of the library, which doesn't actually send a request anywhere:
If the external library is being loaded from a CDN, there's a good chance some other website has requested that same URL, so that user's browser has a cached copy of it.
Since you yourself use jQuery, you could use the other website's same version of jQuery. That way, a user's browser will have a cached copy of the file already from the CDN and no second request will be made.
Otherwise, if the website is using an old version of jQuery that you cannot yourself use or if it is being self-hosted without a CDN, there's nothing else you can do.
I'm working on an extension that injects script in a page.
The extension is basically a content script that injects another script into the DOM. ( Why not just a content script? )
(There aren't any issues with my code, it works fine. The main purpose here is to learn about security issues in web development only)
The injected script is a source file in my extension and I get it with JQuery.get, using the address from chrome.extension.getURL('myscript.js').
Are there any security issues I should be aware of?
The page is not https, can this get return something different from my script?
I also insert HTML content using the same method. The HTML file is from my extension, just like the scritp. Is there any possibility of the responsetext be corrupted by a man in the middle??
What are the common practices to avoid such security issues if they exist?
Differently, if I create a script (document.createElement('script')) and set its source to my file. Would it be possible for someone to interfere when I inject this cript into the dom? (document.documentElement.appendChild(myScipt))
Also, what are the security issues involving this approach? Injecting a script that changes the XMLHttpRequest methods open and send in order to capture ajax calls, add listeners and send them with the same exact original arguments.
So, namely, say I have these:
var myScript = document.createElement('script');
myScript.src = chrome.extension.getURL('myscript.js');
var page = chrome.extension.getURL('mypage.html');
In such context, can a $.get('mypage.html') return anything different from my page due to a man in the middle? (In other words, could I unknowingly inject a malicious page?)
Could a document.documentElement.append(myScript) inject a different script? Could a supposed man in the middle get between the .src and change the actual script?
Since the script is meant to change the XMLHttpRequest prototype as described in the linked approach, could I ever send with arguments different from those passed by the original call?
Thank you!
First of all, Chrome is both the client and the server when you fetch a file from an extension, so you don't need https, it's worthless in this scenario. There is no man in the middle here.
One can think of another extension intercepting the ajax, but to do so that extension should already have proper permissions granted by the user, so it won't be an unauthorized interception. At least it won't be any less secure than any https ajax.
And, as you say, another man in the middle attack consists in redefining XMLHttpRequest, which you can do with an extension (with proper user authorization) or any other way to inject a script in the page (specially if the page is not a secure one).
I wonder if you can inject and run a script before the page loads, or at least before any other script execute, with the only purpose to "secure" the original XMLHttpRequest object (with something like mySecureAjax = XMLHttpRequest;)
You can execute before any script on the page, but you can't guarantee to execute before another extension's injection.
So I have this craptastic code that I inherited and an insane client as well. This program uses IFRAMES to emulate AJAX like calls since the previous dev could not be bothered to just do AJAX. Anyway, the problem is, is that the app calls a javascript that then sets the source of the IFRAME to some dynamic javascript.
Okay, now at the end of this javascipt, the IFRAME tries to set a value on the parent. But in IE7 and IE8 I get "Permission Denied" errors when trying to access parent.document. I imagine that this is to protect against cross domain security issues, however the parent and the child are in the same domain. The site is all https; I don't know if this makes a difference. Any ideas would be awesome.
Both the parent and the child need to be on the same domain and subdomain. Additionally, if whatever code runs in theiframe redirects the frame, it would no longer be in the correct domain when it is finished executing.
I'm loading a page through AJAX with jQuery's load() function. It doesn't work in IE8, giving the "permission denied" error. Using the IE debugger, it seems that when jQuery tries to open up the xhr, ie blocks it.
The problem is, my page has a javascript src that points to bing maps js api (which of course is in a completely different domain than mine). It seems to me that IE tries to grab this js file through a xhr, which then throws the "permission denied" error. Is there a workaround for this?
I can only remember of downloading the bing maps js myself and serving them locally.
I did more test on this. And seems the error was caused by invalid HTML structures on the page. As it is a very complicated page, there are mismatched open <div> or <table> on the page, as when I shorten the page to bare minimum, it works on IE as well. But I don't understand why it was not working when you get to the page first time, and if you refresh the page, it will work after that.
I just had this problem and I posted my solution on this thread:
jQuery AJAX problem in IE7 (possibly other versions as well)
I eventually grabbed a copy of the script and include it myself, so it is in the same domain.
You could include the script tag to the Bing Maps API in the parent document (the one making the jQuery load() call).
Just for the reference:
I experienced this error on Windows 8 with IE 10 inside my WinForms application.
In this application, I'm hosting a WebBrowser control that loads its content from a built-in web server and also communicates via window.external with my host WinForms application.
Enough keyword fishing.
Getting this error
Now what happens to get this jQuery error in my application was:
Browser has successfully loaded an URL.
I programmatically loaded another URL.
Then I immediately opened a child form with Form.ShowDialog.
After closing this form, the jQuery error was shown.
Resolving this error
I resolved the error by postponing the opening of the child form until the application was idle.
I.e. I used a Queue list inside my main form, subscribed to the Application.Idle event and inside this event handler, I processed the queue, one by one.
The new steps now were:
Browser has successfully loaded an URL.
I programmatically loaded another URL.
Put the action to open the child form inside the idle queue.
When the idle queue is processed, it opens the child form.
Then, the error was gone.
I guess, instead of using this idle processing, I also could have waited until the web browser finished its loading by subscribing to the DocumentCompleted event and show the child dialog from there.
Hope this will help someone...
So all this time I had no problem with this script. But all of sudden today, it began to behave strangely.
So I have a JavaScript page that loads inside an iframe.
This is injected into a page loaded via proxy.
$(top.document).ready(), throws an error saying Permission denied...
I was surprised, so I decided to try load a different page.
Then it was no longer complaining.
I rebooted my computer, and when I first loaded a page via proxy, as the iframe containing JavaScript was injected into that page, I got the same error again.
What is happening? Is this a problem on my server or my computer?
http://en.wikipedia.org/wiki/Same_origin_policy
As the error says, there is a permissions problem and it likely has nothing to do with an error your computer, server, or otherwise, but is a design limitation/security feature of JavaScript.
JavaScript is able to access and/or alter other documents (e.g.: windows) other than its own (the one it is being executed fro) if that document comes from the same host. This is known as the "same origin policy."