[OT] iFrames URL access.... - Linux

This is a discussion on [OT] iFrames URL access.... - Linux ; Yes, this is WAAAAAAAAY off topic here. But, when I have a question that cannot be answered elsewhere (such as this question) I like to toss it to the groups that I consider to have the most intelligent readers in ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [OT] iFrames URL access....

  1. [OT] iFrames URL access....

    Yes, this is WAAAAAAAAY off topic here. But, when I have a question that
    cannot be answered elsewhere (such as this question) I like to toss it to
    the groups that I consider to have the most intelligent readers in hopes
    that someone will have heard of the answer that I am seeking....hence the
    post here.

    I want to be able to read the current URL from an iframe in firefox, opera,
    safari and ie. I do not want read access to the page inside the iframe, nor
    do I want to be able to alter anything inside the iframe. I simply want to
    be able to save the URL of the iframe to a webservice that tracks my
    favorites by clicking a button on my parent page.

    I understand the need for cross-site security, but I do not understand the
    security problems inherant in allowing the parent page to access the URL of
    an iframe that it is hosting.

    Any help that you could throw my way would be reatly appreciated.

    Thanks!

    jim



  2. Re: [OT] iFrames URL access....

    In comp.os.linux.advocacy, jim

    wrote
    on Sat, 3 Nov 2007 18:12:58 -0400
    :
    > Yes, this is WAAAAAAAAY off topic here. But, when I have a question that
    > cannot be answered elsewhere (such as this question) I like to toss it to
    > the groups that I consider to have the most intelligent readers in hopes
    > that someone will have heard of the answer that I am seeking....hence the
    > post here.
    >
    > I want to be able to read the current URL from an iframe in firefox, opera,
    > safari and ie. I do not want read access to the page inside the iframe, nor
    > do I want to be able to alter anything inside the iframe. I simply want to
    > be able to save the URL of the iframe to a webservice that tracks my
    > favorites by clicking a button on my parent page.
    >
    > I understand the need for cross-site security, but I do not understand the
    > security problems inherant in allowing the parent page to access the URL of
    > an iframe that it is hosting.
    >
    > Any help that you could throw my way would be reatly appreciated.
    >
    > Thanks!
    >
    > jim
    >
    >


    For HTML, the suggested construct is p.contentDocument.url,
    where p is a pointer to the frame or iframe.

    http://www.w3schools.com/js/js_obj_htmldom.asp

    For XML, one can get the documentURI of the Document,
    or try to do something clever with the src attribute of
    the requisite Element.

    Regrettably, IE does not support p.contentDocument.url.

    Altering the URL in an iframe could be interesting (and
    potentially malevolent); however, accessing it shouldn't
    be a major security risk.

    --
    #191, ewill3@earthlink.net
    Windows Vista. It'll Fix Everything(tm).

    --
    Posted via a free Usenet account from http://www.teranews.com


  3. Re: [OT] iFrames URL access....

    On Sat, 03 Nov 2007 18:12:58 -0400, jim wrote:

    > Yes, this is WAAAAAAAAY off topic here. But, when I have a question that
    > cannot be answered elsewhere (such as this question) I like to toss it to
    > the groups that I consider to have the most intelligent readers in hopes
    > that someone will have heard of the answer that I am seeking....hence the
    > post here.
    >
    > I want to be able to read the current URL from an iframe in firefox, opera,
    > safari and ie. I do not want read access to the page inside the iframe, nor
    > do I want to be able to alter anything inside the iframe. I simply want to
    > be able to save the URL of the iframe to a webservice that tracks my
    > favorites by clicking a button on my parent page.
    >
    > I understand the need for cross-site security, but I do not understand the
    > security problems inherant in allowing the parent page to access the URL of
    > an iframe that it is hosting.
    >


    I believe (and fervently hope) that you are SOL with this request. If you
    *were* allowed access to the URL, this would represent a major security
    hole.

    URLs are not limited to www.whatever.com: consider those in the form
    http://www.somethingelse.com?usernam...ord=c0lar3ad3r as just one
    example.

    ISTR that even as long as 6 years ago, under a browser as insecure as IE,
    even access to something as apparently innocuous the readystate property of
    the frame or iframe in question was denied as soon as the browser realised
    that the URL belonged to a different domain.

    In my case (intranet only) I addressed the difficulty be defining custom
    DNS/host entries (site1.ourintranet.com, site2.ourintranet.com) to relax
    the restriction. No such course is available to you I'm afraid.

  4. Re: [OT] iFrames URL access....


    "Sean Inglis" wrote in message
    news:5p4k7kFlkdneU4@mid.individual.net...
    > On Sat, 03 Nov 2007 18:12:58 -0400, jim wrote:
    >
    >> Yes, this is WAAAAAAAAY off topic here. But, when I have a question that
    >> cannot be answered elsewhere (such as this question) I like to toss it to
    >> the groups that I consider to have the most intelligent readers in hopes
    >> that someone will have heard of the answer that I am seeking....hence the
    >> post here.
    >>
    >> I want to be able to read the current URL from an iframe in firefox,
    >> opera,
    >> safari and ie. I do not want read access to the page inside the iframe,
    >> nor
    >> do I want to be able to alter anything inside the iframe. I simply want
    >> to
    >> be able to save the URL of the iframe to a webservice that tracks my
    >> favorites by clicking a button on my parent page.
    >>
    >> I understand the need for cross-site security, but I do not understand
    >> the
    >> security problems inherant in allowing the parent page to access the URL
    >> of
    >> an iframe that it is hosting.
    >>

    >
    > I believe (and fervently hope) that you are SOL with this request. If you
    > *were* allowed access to the URL, this would represent a major security
    > hole.
    >
    > URLs are not limited to www.whatever.com: consider those in the form
    > http://www.somethingelse.com?usernam...ord=c0lar3ad3r as just one
    > example.
    >
    > ISTR that even as long as 6 years ago, under a browser as insecure as IE,
    > even access to something as apparently innocuous the readystate property
    > of
    > the frame or iframe in question was denied as soon as the browser realised
    > that the URL belonged to a different domain.
    >
    > In my case (intranet only) I addressed the difficulty be defining custom
    > DNS/host entries (site1.ourintranet.com, site2.ourintranet.com) to relax
    > the restriction. No such course is available to you I'm afraid.


    That is unfortunate.

    I have no intention of capturing private data or changing webpages without
    user permission - but I am sure that there are those that would. So,
    although I understand the technology behind limiting this access, it is a
    shame to limit this functionality.

    As far as the extra data in URLs that you pointed to, it seems that a little
    forward thinking would have come up with the concept of stripping extra data
    from URLs returned from the iframes instead of flatly denying all access to
    the URLs. Further thought may have conceived of the idea of allowing
    reading of the iframe document only after permission is recieved from the
    user of the parent page and flatly denying the ability to change the data in
    the iframe.

    But, a web standard is not exactly the place that you are likely to find a
    lot of forward thinking, now is it?

    I can still write the application that I had in mind, and have the same
    functionality, but it will be a bitch of a bandwidth hog for my servers.
    That means that the app (should I release it for public consumption) could
    not remain free AND ad free as I had planned.

    Oh well.....on to the next idea.

    Thanks so much for your forbearance in my posting such a wildly off-topic
    post and thanks for your answers.

    jim



  5. Open Source to the rescue?

    On Sun, 04 Nov 2007 00:07:51 -0400, jim wrote:

    > "Sean Inglis" wrote in message
    > news:5p4k7kFlkdneU4@mid.individual.net...
    >> On Sat, 03 Nov 2007 18:12:58 -0400, jim wrote:
    >>
    >>> Yes, this is WAAAAAAAAY off topic here. But, when I have a question that
    >>> cannot be answered elsewhere (such as this question) I like to toss it to
    >>> the groups that I consider to have the most intelligent readers in hopes
    >>> that someone will have heard of the answer that I am seeking....hence the
    >>> post here.
    >>>
    >>> I want to be able to read the current URL from an iframe in firefox,
    >>> opera,
    >>> safari and ie. I do not want read access to the page inside the iframe,
    >>> nor
    >>> do I want to be able to alter anything inside the iframe. I simply want
    >>> to
    >>> be able to save the URL of the iframe to a webservice that tracks my
    >>> favorites by clicking a button on my parent page.
    >>>
    >>> I understand the need for cross-site security, but I do not understand
    >>> the
    >>> security problems inherant in allowing the parent page to access the URL
    >>> of
    >>> an iframe that it is hosting.
    >>>

    >>
    >> I believe (and fervently hope) that you are SOL with this request. If you
    >> *were* allowed access to the URL, this would represent a major security
    >> hole.
    >>
    >> URLs are not limited to www.whatever.com: consider those in the form
    >> http://www.somethingelse.com?usernam...ord=c0lar3ad3r as just one
    >> example.
    >>
    >> ISTR that even as long as 6 years ago, under a browser as insecure as IE,
    >> even access to something as apparently innocuous the readystate property
    >> of
    >> the frame or iframe in question was denied as soon as the browser realised
    >> that the URL belonged to a different domain.
    >>
    >> In my case (intranet only) I addressed the difficulty be defining custom
    >> DNS/host entries (site1.ourintranet.com, site2.ourintranet.com) to relax
    >> the restriction. No such course is available to you I'm afraid.

    >
    > That is unfortunate.
    >
    > I have no intention of capturing private data or changing webpages without
    > user permission - but I am sure that there are those that would. So,
    > although I understand the technology behind limiting this access, it is a
    > shame to limit this functionality.


    I don't doubt that's the case - I didn't have any nefarious reasons
    either :-). There is *one* way you could achieve this, but it would involve
    altering and compiling your own browser - achievable when you have free
    access to the source code. I'm not sure if you could write a firefox
    extension to achieve the same end - simpler but it may be limited by trhe
    intrinsic browser security.

    Non-trivial, but possible with the open source model, and you won't find
    any shortage of people who can help you (I'm not really one of them I'm
    afraid).

    >
    > As far as the extra data in URLs that you pointed to, it seems that a
    > little forward thinking would have come up with the concept of stripping
    > extra data from URLs returned from the iframes instead of flatly denying
    > all access to the URLs. Further thought may have conceived of the idea
    > of allowing reading of the iframe document only after permission is
    > recieved from the user of the parent page and flatly denying the ability
    > to change the data in the iframe.
    >
    > But, a web standard is not exactly the place that you are likely to find
    > a lot of forward thinking, now is it?


    Well, I think it does a pretty good job, but it was initially hammered
    out in a more innocent age. There's no real way of determining that a piece
    of data should be stripped out of the URL, and some of these pieces will
    be essential to being able to navigate to the correct page:

    www.testdomain.com?pageid=23

    for instance.

  6. Re: Open Source to the rescue?


    "Sean Inglis" wrote in message
    news:5p5qemFlkdneU5@mid.individual.net...
    > On Sun, 04 Nov 2007 00:07:51 -0400, jim wrote:
    >
    >> "Sean Inglis" wrote in message
    >> news:5p4k7kFlkdneU4@mid.individual.net...
    >>> On Sat, 03 Nov 2007 18:12:58 -0400, jim wrote:
    >>>
    >>>> Yes, this is WAAAAAAAAY off topic here. But, when I have a question
    >>>> that
    >>>> cannot be answered elsewhere (such as this question) I like to toss it
    >>>> to
    >>>> the groups that I consider to have the most intelligent readers in
    >>>> hopes
    >>>> that someone will have heard of the answer that I am seeking....hence
    >>>> the
    >>>> post here.
    >>>>
    >>>> I want to be able to read the current URL from an iframe in firefox,
    >>>> opera,
    >>>> safari and ie. I do not want read access to the page inside the
    >>>> iframe,
    >>>> nor
    >>>> do I want to be able to alter anything inside the iframe. I simply
    >>>> want
    >>>> to
    >>>> be able to save the URL of the iframe to a webservice that tracks my
    >>>> favorites by clicking a button on my parent page.
    >>>>
    >>>> I understand the need for cross-site security, but I do not understand
    >>>> the
    >>>> security problems inherant in allowing the parent page to access the
    >>>> URL
    >>>> of
    >>>> an iframe that it is hosting.
    >>>>
    >>>
    >>> I believe (and fervently hope) that you are SOL with this request. If
    >>> you
    >>> *were* allowed access to the URL, this would represent a major security
    >>> hole.
    >>>
    >>> URLs are not limited to www.whatever.com: consider those in the form
    >>> http://www.somethingelse.com?usernam...ord=c0lar3ad3r as just
    >>> one
    >>> example.
    >>>
    >>> ISTR that even as long as 6 years ago, under a browser as insecure as
    >>> IE,
    >>> even access to something as apparently innocuous the readystate property
    >>> of
    >>> the frame or iframe in question was denied as soon as the browser
    >>> realised
    >>> that the URL belonged to a different domain.
    >>>
    >>> In my case (intranet only) I addressed the difficulty be defining custom
    >>> DNS/host entries (site1.ourintranet.com, site2.ourintranet.com) to relax
    >>> the restriction. No such course is available to you I'm afraid.

    >>
    >> That is unfortunate.
    >>
    >> I have no intention of capturing private data or changing webpages
    >> without
    >> user permission - but I am sure that there are those that would. So,
    >> although I understand the technology behind limiting this access, it is a
    >> shame to limit this functionality.

    >
    > I don't doubt that's the case - I didn't have any nefarious reasons
    > either :-). There is *one* way you could achieve this, but it would
    > involve
    > altering and compiling your own browser - achievable when you have free
    > access to the source code. I'm not sure if you could write a firefox
    > extension to achieve the same end - simpler but it may be limited by trhe
    > intrinsic browser security.
    >
    > Non-trivial, but possible with the open source model, and you won't find
    > any shortage of people who can help you (I'm not really one of them I'm
    > afraid).


    One of the main points of the original idea was that there would be nothing
    to install, and the bandwidth to provide the parent page would be small.
    Some people cannot install anything they want on the PC they may need to
    access their favorites from - like at a locked down workplace, school or
    public library or internet cafe. Doing the whole thing as a web page would
    ensure that everyone could use it.

    I could make it a no-install application, but the minimum download would be
    just shy of 3MB. Multiply that times a few thousand users in a day and
    you've got yourself a bandwidth hog in the makings.

    >
    >>
    >> As far as the extra data in URLs that you pointed to, it seems that a
    >> little forward thinking would have come up with the concept of stripping
    >> extra data from URLs returned from the iframes instead of flatly denying
    >> all access to the URLs. Further thought may have conceived of the idea
    >> of allowing reading of the iframe document only after permission is
    >> recieved from the user of the parent page and flatly denying the ability
    >> to change the data in the iframe.
    >>
    >> But, a web standard is not exactly the place that you are likely to find
    >> a lot of forward thinking, now is it?

    >
    > Well, I think it does a pretty good job, but it was initially hammered
    > out in a more innocent age. There's no real way of determining that a
    > piece
    > of data should be stripped out of the URL, and some of these pieces will
    > be essential to being able to navigate to the correct page:
    >
    > www.testdomain.com?pageid=23
    >
    > for instance.


    I see what you mean.

    There is a way to do it using proxies, but it would be bandwidth intensive
    and would require ads or a fee-based system because of the high bandwidth
    usage.

    Thanks for your thoughts.

    jim



+ Reply to Thread