3

The HTML parent window and iFrame content know about each other and communicate freely when they live on the same web server. When they are saved to DVD, Chrome throws an "Unsafe JavaScript attempt to access frame with URL" when iFrame tries to contact top as a local file.

The catch below catches the permission error, but the error is still registered by the browser and visible to the user.

Is it possible to test first if this access is allowed before attempting to access to preclude the unsafe JavaScript error?

           // Called from script in an iframe
           function findSiblingIFrame(sibId) {
                 try {
                       var sibFrame = top.document.getElementById(sibId);
                       if (sibFrame != null) {
                           alert("found sibling iframe");
                       } else {
                           alert("did not find sibling iframe");
                       }
                   }
                   catch (err) {
                      alert("not allowed to find sibling iframe");
                      // Would rather test if permission first to prevent
                      // browser from registering the error.
                   }
           }
spiraleddy
  • 147
  • 10
  • Check out http://www.netomatix.com/development/webcaspermissions.aspx. It may or may not help with as a starting point. – MethodMan Dec 02 '11 at 21:20
  • 1
    Thanks for the link, but checking browser permission level doesn't help this case. I'm looking for a clean way to determine if parent is in same domain as child without having to generate a cross-site script error through the parent.location.xyz call. Its like having to place a hand on the stove in order to test if the stove is hot. It's just uncomfortable explaining that the big red ERROR ON PAGE icon FireFox puts on the browser page means the code is working correctly. – spiraleddy Feb 02 '12 at 15:48

2 Answers2

0

I ended up using HTML5 messaging to pass potential sandboxed requests up and down the iframe hierarchy.

For example, each html page in a nested iframe hierarchy has access to the following javascript. If the caught HTML5 message request cannot be executed locally, the message is passed up to the parent. The parent can also pass messages down to iframes. This only works because all the pages have access to the same javascript file.

// function to handle message request
function messageHandler(argJSON) {
    // A collection of available functions for inbound messages
    var msgFunctionMap = new Object();
    msgFunctionMap.removeBorder = removeBorder;
    msgFunctionMap.restoreBorder = restoreBorder;
    // ...more
    // try execute request
    try {
        var jsonObj = JSON.parse(argJSON.data);
        msgFunctionMap[jsonObj.request](jsonObj.args);
    }
    catch (err) {
        alert(" Request not supported: " + argJSON.data);
    }
};
// example function to remove object id x's border if it exists in "this" window, else pass request up
var removeBorder = function (jsonMsg, argObj) {
    var xiFrame = document.getElementById("x");
    if (xiFrame != null) {
        xiOrigWidth = xiFrame.style.borderWidth;
        xiFrame.style.borderWidth = '0px';
    }
    // Otherwise, pass message up else if (window.parent && window.parent.postMessage) {
        window.parent.postMessage(jsonMsg.data, "*");
    }
};
//... more
// pass predefined message request from child to parent
function messageUpHandler(message) {
    if (window.parent && window.parent.postMessage) {
        window.parent.postMessage(message.data, "*");
    }
};
// Listener for child messages
if (window.addEventListener) {
    window.addEventListener("message", messageUpHandler, true);
}
spiraleddy
  • 147
  • 10
0

Just check for window.location.protocol and then you can have different behaviors wether it's running on a web server (http:) or locally (file:).

You should be aware though that different browsers have different permissions regarding these things, so you should check the user's browser too.

Felipe Brahm
  • 3,162
  • 1
  • 28
  • 42
  • It's just Chrome that has the (file:) issue, but I was afraid that (http:) might also start limiting iframe to parent communications. See my posted result below – spiraleddy May 08 '12 at 17:46