Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cross Domain Scripting

Status
Not open for further replies.
Diggum1

Diggum1

Programmer
Oct 14, 2004
67
US
I have several pages that a user can either submit or skip using a regular submit input. All of my content resides inside an iframe of my client (which resides inside another iframe on their containing page). When a user cycles through my content, I'm trying to get the client's browser The outermost scrollbar) to scroll to the top of the page.

I've tried various thing like on my pages like:

<input name="Submit" type="submit" value="submit" onclick="parent.parent.window.location='#anchor';"/>

and even:

<body onload="parent.parent.window.scroll(0,0);">

but I'm getting a JS error that reads, "uncaught exception permission denied to call method Location.tostring"

I'm pretty sure it's because of some sort of cross domain scripting security in the browser.

Is there anyway around this? Anything else I can try? The client is willing to let us add any scripts we need to our content...they just don't want to modify any of their pages.

Thanks
Rick





 
Sort by date Sort by votes
Here is a working example of an XSS technique that might be what you are looking for:


The code is split over 3 file and across two domains.

The code for each file is listed below. This file lives on DomainA (coedit.co.uk for the example):
Code: 
<html><head>
<title>Page that has an iframe on it</title>

<script type="text/javascript">
/* called from the iframe */
function scrollWindowToTopOfPage() {
	window.scrollTo(0,0);
}
</script>
</head>

<body>
<h1>This is the main content page</h1>
<p>There is an iframe near the bottom (that you need to scroll down to) that contains a link that ought to allow you to scroll the window to the top again. The key is that the iframe content lives on another domain entirely from this.</p><hr>
<p>... add in loads of content to force scrolling...</p>
<hr>
<h2>Iframed content follows...</h2>
<iframe width="600" height="1200" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" src="[URL unfurl="true"]http://www.coedit.com/iframedContent.html"></iframe>[/URL]

</body>
</html>

This file also lives on DomainA (coedit.co.uk for the example):
Code: 
<script type="text/javascript">
	try {
		window.top.scrollWindowToTopOfPage();
	} catch(e) {};
</script>

This file lives on DomainB (coedit.com for the example):
Code: 
<html><head>
<title>Iframed Page</title>
</head>

<body>
<h1>This page lives in an iFrame on the coedit.com domain</h1>
<p>Note it has a n iframe that points to a file in the parent domain over at coedit.co.uk</p>
<p>Click <a href="javascript://" onclick="document.getElementById('hiddenCrossSiteScriptingIframe').src = '[URL unfurl="true"]http://www.coedit.co.uk/xsshiddeniframe.html';">this[/URL] link to scroll the parent window to the top.</p>

<iframe id="hiddenCrossSiteScriptingIframe" width="1" height="1" style="position:absolute;top:0px;left:0px;visibility:hidden;"></iframe>

</body></html>

The key to the "hack" is that there is an iframe from the iframed content back through to a file on the same domain as the wrapping page. I've given this an ID hiddenCrossSiteScriptingIframe to make it obvious.

I'll attempt to make this a more readable description via an FAQ post at some stage. In the interim, if there are any questions... post away!

Cheers,
Jeff

[tt]Jeff's Blog [!]@[/!] CodeRambler
[/tt]

Make sure your web page and css validates properly against the doctype you have chosen - before you attempt to debug a problem!

FAQ216-6094
 
Upvote 0 Downvote
I have written this up in more detail over at:


It's a little more generic and hopefully describes it better than I have done here.

Cheers,
Jeff

[tt]Jeff's Blog [!]@[/!] CodeRambler
[/tt]

Make sure your web page and css validates properly against the doctype you have chosen - before you attempt to debug a problem!

FAQ216-6094
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Dirkster
  • Locked
  • Question
javascript widget works only on temp domain, not on main domain. directory path issue? 1
Replies
2
Views
92
Dirkster
Dirkster
GUJUm0deL
  • Locked
  • Question
iFrame and cross domain
Replies
0
Views
39
GUJUm0deL
GUJUm0deL
vr100
  • Locked
  • Question
issues with my cross fade slideshow :( 1
Replies
2
Views
82
vr100
vr100
Puma12
  • Locked
  • Question
How to pass variables from one iframe to another iframe (in same domain)using javascript only ?
Replies
4
Views
98
feherke
feherke
DGAD
  • Locked
  • Question
Cross Frame Javascript-Onclick Event Handler
Replies
0
Views
51
DGAD
DGAD

Part and Inventory Search

Sponsor

Back
Top