Wait for a frame to load tecnique 2

[Diancecht]

Hi all.

I'm facing the common problem of waiting for a frame to load. The url loaded in the frame is external, so no chance to use the onLoad event of the second frame.

I've been searching for sollutions in this forum and in the outer dark space and I must admit I'm a little dissapointed.

What I've found is the sollution is just entering a loop with some delay and check if the frame is loaded examining the content of the frame.

So I have two questions:

1.- Is there a more elegant way that I was not able to find, any event, any way to add a listener or maybe a wizard's spell?

2.- If not, which would be the best way to check, the end of body tag, if the location type is still undefined, maybe if the sky is blue?

I should remark that my objective is not showing the page to the user but have it cached by the browser.

Thank you.

Dian

 

[theniteowl]

Perhaps some modification of this:

function testpage()
{
  var mypage = document.getElementsByTagName('HTML')[0].innerHTML;
  if (mypage.lastIndexOf('/BODY>') == -1)
    alert("Tag does not exist");
  else
    alert("Tag exists");
}

You would have to point it to the frame you are reading.
The way it works now is it looks at the current HTML page.
Also, this will ALWAYS return true at least in IE because even if the page did not have a close body tag the browser adds it in. What you might have to do is to look at the HTML of the page you are loading and find something unique at the end of the page to look for rather than the /body tag.


Paranoid? ME?? WHO WANTS TO KNOW????

 

[cLFlaVA]

you should just be able to use the onload event of the external frame. this test worked for me:

<!-- re.html //-->

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">[/URL]

<html>
<head>
<title>Untitled</title>

</head>

<body>

<div id="myDiv"></div>

</body>
</html>

<!-- main.html //-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
   "[URL unfurl="true"]http://www.w3.org/TR/html4/frameset.dtd">[/URL]
<HTML>
<HEAD>
<TITLE>A simple frameset document</TITLE>
<script type="text/javascript"><!--
function doThing() {
    top.frames['f1'].document.getElementById('myDiv').innerHTML = 'done!';
}
//--></script>
</HEAD>
<FRAMESET cols="20%, 80%">
      <FRAME id="f1" name="f1" src="re.html">
      <FRAME id="f2" name="f2" onload="doThing()" src="[URL unfurl="true"]http://www.msn.com/">[/URL]
  <NOFRAMES>
      <P>blah</P>
  </NOFRAMES>
</FRAMESET>
</HTML>

forgive the CAPS, i just copied/pasted a frame page.



*cLFlaVA
----------------------------
[tt]I already made like infinity of those at scout camp...[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[cLFlaVA]

unless i'm confused, since i see you're saying your onload event doesn't work. do i not understand your intention?



*cLFlaVA
----------------------------
[tt]I already made like infinity of those at scout camp...[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[LFI]

Cory,

Cool! It even works if I don't fill in the SRC attribute of the iframe, but then send the document.location to an external reference.

However, do you know how to then send another external reference to the frame? When I try to redirect the contents of the frame, I get a permission-denied error.

Dave


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[cLFlaVA]

again, not sure if i am following correctly. wouldn't this do it? worked for me...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
   "[URL unfurl="true"]http://www.w3.org/TR/html4/frameset.dtd">[/URL]
<HTML>
<HEAD>
<TITLE>A simple frameset document</TITLE>
<script type="text/javascript"><!--
var redirected = false;
function doThing() {
    top.frames['f1'].document.getElementById('myDiv').innerHTML = 'done!';
    if (!redirected) top.frames['f2'].location = '[URL unfurl="true"]http://www.google.com';[/URL]
    redirected = true;
}
//--></script>
</HEAD>
<FRAMESET cols="20%, 80%">
      <FRAME id="f1" name="f1" src="re.html">
      <FRAME id="f2" name="f2" onload="doThing()" src="[URL unfurl="true"]http://www.msn.com/">[/URL]
  <NOFRAMES>
      <P>This frameset document contains:
      <UL>
         <LI><A href="contents_of_frame1.html">Some neat contents</A>
         <LI><IMG src="contents_of_frame2.gif" alt="A neat image">
         <LI><A href="contents_of_frame3.html">Some other neat contents</A>
      </UL>
  </NOFRAMES>
</FRAMESET>
</HTML>

*cLFlaVA
----------------------------
[tt]I already made like infinity of those at scout camp...[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[LFI]

I tried an update of your re.html:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">[/URL]

<html>
<head>
<title>Untitled</title>
<script>
[red]function loadGoogle()
{
 myDiv.innerHTML = '';
 parent.frames[1].document.location = '[URL unfurl="true"]http://www.google.com';[/URL]
}[/red]
</script>
</head>

<body>

<div id="myDiv"></div>

[red]<input type='button' value='load Google' onclick='loadGoogle();' />[/red]

</body>
</html>

Everything works as you say to begin with. msn.com loads in f2 and the innerHTML in the DIV of f1 is filled with 'done!'

THEN, I hit the new button I have added to try and redirect f2 again.

That is when I get the permission denied error.

Dave


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[LFI]

NOTE: if I take out the SRC attribute of f2, so that msn.com is not loaded initially, when I hit my new button, Google loads fine. When I hit it again, however, I get the same 'Permission denied' error.

Dave


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[cLFlaVA]

um, what?

function doThing() {
    top.frames['f1'].document.getElementById('myDiv').innerHTML = '<a href="#" onclick="top.frames[\'f2\'].location=\'[URL unfurl="true"]http://www.google.com/\';[/URL] return false;">Click Stuff</a>';
}

*cLFlaVA
----------------------------
[tt]I already made like infinity of those at scout camp...[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[cLFlaVA]

maybe can't be accessed from inside a page inside a frame...



*cLFlaVA
----------------------------
[tt]I already made like infinity of those at scout camp...[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[LFI]

Ah... you found it. I was trying the second redirect with document.location. It works when one just uses location.

Thanks.

Say 'ahhhhh'

Dave


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[cLFlaVA]

thanks bud.



*cLFlaVA
----------------------------
[tt]I already made like infinity of those at scout camp...[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[Diancecht]

@clFlava: will you marry me?

I spent a few hours yesterday to make a script that would test for the contents of the frame with some timeout by examining the tags. It ended to work, but became too much complicated for what I was looking for.

Then I saw the light with your post. When I said I could not use the onLoad event, what I had in my mind is that the page to be loaded in the frame was out of my control, I couldn't inlcude an onLoad in its body tag.

My ignorance just didn't let me see beyond it. I had no idea the frame itself has an onLoad event. And no many people must know it, as I only found timeout scripts for this task.

Thank you very much, you deserved a star.

@LFI

Just as a remark, javascript has a set of security measures about frames. One of them is that you can't access one frame's content from another frame if both ones don't come from the same domain.

Don't ask me why, I sill don't fully understand myself why is that a security hole, but that's life.

Cheers,
Dian

 

[BabyJeffy]

Don't ask me why, I sill don't fully understand myself why is that a security hole, but that's life.

The web server at acme.adverts.com is compromised and the main template that is used to serve ads to the many clients of Acme Adverts is modified. The modification is nothing special... just the inclusion of a 0x0 pixel iframe that points to a page hosted somewhere else.

Without these security features in place, the page hosted in the iframe could access contents of the enclosing (or even ultimate parent) page. The iframe could use javascript to loop through all the variables and log them (so that someone can later retrieve them and check them out for possible passwords etc). Not to mention silently installing spy-ware as well.

That's why

You can get around it easily by having an arrangement with the company whose data is wrapped in an iframe... by allocating them a subdomain of your main domain... and pointing the DNS entry to them to manage. I've seen this in use at a large new site.

Cheers,
Jeff

[tt]Jeff's Page @ Code Couch

http://www.codecouch.com/jeff/

http://www.codecouch.com/jeff/blog/

[/tt]

What is Javascript? FAQ216-6094

 

[Diancecht]

Thanks for the aclaration. I understand that it's not so good leaving that for free but ...

So you mean Javascript security is intended to deal with compromised servers?

If I'm able to compromise that server ... wouldn't be easy to hijack the login page where you're retrieving the password from?

Cheers,
Dian

 

[cLFlaVA]

@clFlava: will you marry me?

if you are female, i will consider it. otherwise, sorry, i only play for one team.

thanks for the *.



*cLFlaVA
----------------------------
[tt]I already made like infinity of those at scout camp...[/tt]
[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[BabyJeffy]

So you mean Javascript security is intended to deal with compromised servers?

Not really, it's the browsers that have implemented this security.

There are many levels at which you could compromise the server... I used the specific example of an advert serving company because they are shown on many many many websites... some of which may have useful login screens (for instance).

Cheers,
Jeff

[tt]Jeff's Page @ Code Couch

http://www.codecouch.com/jeff/

http://www.codecouch.com/jeff/blog/

[/tt]

What is Javascript? FAQ216-6094

 

[Diancecht]

That's indeed a good point, a clear vulnerability but, from my point of view, the ad server company would be the one to ensure the integrity of their system, not charge this to the poor Javascript programmers that just want to play around with some innocent frames.

Cheers,
Dian

 

[theniteowl]

Think of it this way.
Even without a compromised server a web site with ill intent could load their own page and use a frame that went out and grabbed a legitimate web site that people were looking for and load it into that frame. The unsuspecting person would log legitimately into the site they wanted to get into but without the built-in protection we have now the scammer could read all the supposedly protected information from the other site because they have unrestricted access to any page they loaded into their own pages frames.

With the current security you CAN load a different site into a frame on your page but you lose access to the content and so cannot obtain confidential info from that site.


Paranoid? ME?? WHO WANTS TO KNOW????

 

[Diancecht]

That makes more sense, even though I'd never trust any site that links to my bank or mail account.

Anyway, if i do that, those sites could just replicate the login page into their own server and get my details the same way without a single javascript line, so the hole is still in the same place.

My feeling is that if the security restriction is here, there must be a reason. But to be sincere, even with your examples, there's a simple workaround that allows doing the same.

Thank you anyway for your effort to give some light to a dark and hard to convince mind.

Cheers,
Dian