2

I understand that cross site scripting (xss) is not good and is not supported in most browsers. However, I am building a page to be used only by about 3 or 4 people within my company. On this page I have a frame from another domain and I need the parent page to be able to access the values within that frame.

So my question is, is there a way (changing settings, etc), in either Firefox or IE7, to allow this to happen? Preferably (though not necessarily) any setting change would be for my domain explicitly.

I've found some help online that says that in FF you can add capability.policy to allow this. I haven't had any luck though, perhaps that isn't supported in FF3.

3 Answers3

1

For those looking, there is a great backwards-compatible, javascript-only way to communicate across domains. Short, easy code as well. Perfect solution? As long as you have request modifications to the parent and the child:

http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/

Kyle Cureau
  • 19,028
  • 23
  • 75
  • 104
0

A couple ideas of the top of my head:

  • In IE you can change the settings for the security zone that your site is in. I suggest you add the domains to "Trusted sites" and then make sure that ""Access data sources across domains." is enabled for the Trusted Sites-zone. You can find more info here.

  • If you have a domain-name which you have control over, maybe you can set up sub-domains which point to the sites in the different frames? Thereby fooling the web browser that they are part of the same site?

  • If you like coding you can create a custom app which uses the IE-browser control and implements its own IInternetSecurityManager (http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx) which allows cross-domain script access.

Yrlec
  • 3,401
  • 6
  • 39
  • 75
  • I've tried setting up the trusted site and access data across domains. That was my first idea too, but alas for some reason that doesn't work. It really seems like there should just be a switch like that though. I could try the subdomain trick. Its a bit of a bitch, but if it works.... –  May 08 '09 at 22:27
  • There's also the security-option "Navigate windows and frames across different domains". Make sure that is enabled as well. – Yrlec May 08 '09 at 22:55
0

Another option is to set up a proxy page so that the pages appear to originate in the same domain. Proxy pages can be terribly vulnerable to XSS, depending on implementation. Even though you state that that's not a concern here, it's important to consider.

outis
  • 75,655
  • 22
  • 151
  • 221
  • Do you know where I can get more information about how to do this? –  May 11 '09 at 19:00
  • Not off hand. I've never needed a reference for the technique. You could see what Google has to say: http://www.google.com/search?q=AJAX+PHP+proxy – outis May 12 '09 at 06:24