Call to parent-frame script causes "Permission Denied"

I have a frameset page that has two frames from different domains, and tried to call(from one frame) javascript function on parent page to change URL on other  frame , but received
Permission Denied
The similar problem  described in "Cross-frame scripting, works in FF but not IE" discussion.
  
I made sure the "Navigate sub-frames across different domains" was enabled for all my zones
 
The scenario is of two different web servers. The parent frame (html
> page orginates from server 1) has script like
> alert('parent invoked');
> Inside child frame (html orginates from server 2) the html refers to
> parent script like
> parent.x1();
If you somehow manage to get this to work, please report it to browser
developers so they could patch it because it would be a security hole.
Essentially, you're attempting to perform cross-site scripting, basics
of cross-site scripting attack, one of more dangerous ones.
If both pages come from the same parent domain, and both of them set he property document.domain to the same parent domain, scripts running in either frame will be allowed to talk to each other. For example, say the page http://www.example.com/ loads the page http://ajax.example.com/ in an iframe. Since both pages are in the domain example.com, if both set document.domain to “example.com” they will be be given the ability to programatically access each other’s data.
Finally I carefully read MSDN About Cross-Frame Scripting and Security article and understood, that you can SET window.location.href /document.location.href  in the DHTML, but you can't call JS function from other Frame, even if it does the same window.location.href  assignment.
.
 
posted @ Thursday, November 29, 2007 7:35 PM
Print

Comments on this entry:

# re: Call to parent-frame script causes "Permission Denied"

Left by Chris at 3/22/2010 7:59 AM
Gravatar
Here is how to do it:

# re: Call to parent-frame script causes "Permission Denied"

Left by Chris at 3/22/2010 8:05 AM
Gravatar
PARENT

<html>
<script>
function childcall(s) { alert(s) }
function go() {
workarea.document.writeln('<' + "script src=http://any.site.you.want.on.any.domain.com/child.asp>"+ "<" + "/script>")
return false;
}
</script>
<body>
Blah
<form onsubmit="return go()"><input type=submit onclick="return go()"></form>
<iframe id=workarea>test</iframe>
</html>

<!-- script src=http://172.22.0.114/iMISpublic/testg.asp></script-- >
</body>
</html>

CHILD

<%
Response.Write "parent.childcall('hello')"
%>

# re: Call to parent-frame script causes "Permission Denied"

Left by Chris at 3/22/2010 8:06 AM
Gravatar
(without the 172.22.0.114 comment line of course - sorry :-)

# re: Call to parent-frame script causes "Permission Denied"

Left by jjay at 12/6/2010 6:10 AM
Gravatar
yes, reporting to browser developers is a good thing to do but maybe we can't go for holiday and wait for ages until they work it out..hehe

aha...IE is full of security things and very restrict but some ppl might like it in that way...hehe ...i ever got such a problem, but finally i changed to used relative path (../) instead of http://... directly to files within the server of the site and it worked.

ps. it's sooo late to reply this but i'm sure even now some developers might get the same problem still and want to hear some solutions still ;)

# re: Call to parent-frame script causes "Permission Denied"

Left by designer high heels at 5/21/2011 2:00 AM
Gravatar

lace accessories to present do in their good beauty again

Your comment:



(not displayed)

 
 
 
 
 

Live Comment Preview:

 
«August»
SunMonTueWedThuFriSat
272829303112
3456789
10111213141516
17181920212223
24252627282930
31123456