Geeks With Blogs

Michael Freidgeim's Blog MS .Net Development
I have a frameset page that has two frames from different domains, and tried to call(from one frame) javascript function on parent page to change URL on other  frame , but received
Permission Denied
The similar problem  described in "Cross-frame scripting, works in FF but not IE" discussion.
  
I made sure the "Navigate sub-frames across different domains" was enabled for all my zones
 
The scenario is of two different web servers. The parent frame (html
> page orginates from server 1) has script like
> alert('parent invoked');
> Inside child frame (html orginates from server 2) the html refers to
> parent script like
> parent.x1();
If you somehow manage to get this to work, please report it to browser
developers so they could patch it because it would be a security hole.
Essentially, you're attempting to perform cross-site scripting, basics
of cross-site scripting attack, one of more dangerous ones.
If both pages come from the same parent domain, and both of them set he property document.domain to the same parent domain, scripts running in either frame will be allowed to talk to each other. For example, say the page http://www.example.com/ loads the page http://ajax.example.com/ in an iframe. Since both pages are in the domain example.com, if both set document.domain to “example.com” they will be be given the ability to programatically access each other’s data.
Finally I carefully read MSDN About Cross-Frame Scripting and Security article and understood, that you can SET window.location.href /document.location.href  in the DHTML, but you can't call JS function from other Frame, even if it does the same window.location.href  assignment.
.
 
Posted on Thursday, November 29, 2007 7:35 PM ASP.NET , CSS/DHTML/JavaScript | Back to top


Comments on this post: Call to parent-frame script causes "Permission Denied"

# re: Call to parent-frame script causes "Permission Denied"
Requesting Gravatar...
Here is how to do it:
Left by Chris on Mar 22, 2010 7:59 AM

# re: Call to parent-frame script causes "Permission Denied"
Requesting Gravatar...
PARENT

<html>
<script>
function childcall(s) { alert(s) }
function go() {
workarea.document.writeln('<' + "script src=http://any.site.you.want.on.any.domain.com/child.asp>"+ "<" + "/script>")
return false;
}
</script>
<body>
Blah
<form onsubmit="return go()"><input type=submit onclick="return go()"></form>
<iframe id=workarea>test</iframe>
</html>

<!-- script src=http://172.22.0.114/iMISpublic/testg.asp></script-- >
</body>
</html>

CHILD

<%
Response.Write "parent.childcall('hello')"
%>
Left by Chris on Mar 22, 2010 8:05 AM

# re: Call to parent-frame script causes "Permission Denied"
Requesting Gravatar...
(without the 172.22.0.114 comment line of course - sorry :-)
Left by Chris on Mar 22, 2010 8:06 AM

# re: Call to parent-frame script causes "Permission Denied"
Requesting Gravatar...
yes, reporting to browser developers is a good thing to do but maybe we can't go for holiday and wait for ages until they work it out..hehe

aha...IE is full of security things and very restrict but some ppl might like it in that way...hehe ...i ever got such a problem, but finally i changed to used relative path (../) instead of http://... directly to files within the server of the site and it worked.

ps. it's sooo late to reply this but i'm sure even now some developers might get the same problem still and want to hear some solutions still ;)
Left by jjay on Dec 06, 2010 6:10 AM

# re: Call to parent-frame script causes "Permission Denied"
Requesting Gravatar...

lace accessories to present do in their good beauty again
Left by designer high heels on May 21, 2011 2:00 AM

Your comment:
 (will show your gravatar)


Copyright © Michael Freidgeim | Powered by: GeeksWithBlogs.net | Join free