Cross-frame scripting and Localhost

T

taoberly

Hello,

Is it possible to run an HTML file from "localhost" and bypass the
various security checks in place for cross-frame scripting? For
example, on a 2-frame page loaded locally:

a) frame 1 includes a form that accepts the name of a web site
(example: www.foo.com), which a script or perhaps a "target" attribute
then loads into frame 2
b) frame 1 waits for frame 2 to load, then reads (for example)
top.frame2.document.images.length and displays the total in frame 1

I realize that "localhost" is not going to match the domain appearing
in frame 2, but as I myself am running the script, logically, where is
the harm?

I haven't done much testing with this yet, but am planning an
application around this concept and am hoping I can make it work. Any
pointers?

Thanks,

Todd
 
R

Randy Webb

(e-mail address removed) said the following on 4/24/2006 10:55 AM:
Hello,

Is it possible to run an HTML file from "localhost" and bypass the
various security checks in place for cross-frame scripting? For
example, on a 2-frame page loaded locally:

a) frame 1 includes a form that accepts the name of a web site
(example: www.foo.com), which a script or perhaps a "target" attribute
then loads into frame 2
Click to expand...

Did you test it?
b) frame 1 waits for frame 2 to load, then reads (for example)
top.frame2.document.images.length and displays the total in frame 1
Click to expand...

Did you test it?
I realize that "localhost" is not going to match the domain appearing
in frame 2, but as I myself am running the script, logically, where is
the harm?
Click to expand...

Did you test it?
I haven't done much testing with this yet, but am planning an
application around this concept and am hoping I can make it work. Any
pointers?
Click to expand...

Test it.
 
T

taoberly

Randy said:
(e-mail address removed) said the following on 4/24/2006 10:55 AM:

Did you test it?


Did you test it?


Did you test it?


Test it.
Click to expand...

I think your record is stuck.

I ran some more tests this morning, but nothing worked in Firefox. I
posted because I couldn't be sure it wasn't from something I was doing
wrong, and because I still don't see any security implications. It
seems that not only is the DOM structure unavailable, but the onload
event is never triggered in the first place. If any of this doesn't
sound right, I would appreciate somebody replying without posing more
questions.

It seems like a case of unimaginative programming to me, but at least
falling-back to IE and HTA's will appear to do the job. No, I haven't
tested it yet.

Todd
 
T

taoberly

Ah, HTA's. :) Until today, I hadn't realized that "localhost" falls
into the category of "any old site", and was still trying to make
something vaguely standards-compliant. But I've fallen-back on HTA's
before and I can do it again. Thanks for the URL!

Todd
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cross Domain (Friendly) Frame Scripting on IE 7 2
IE "Mark of the Web" cross-frame scripting? 11
Cross-Domain-Scripting 1
cross frame script needed 3
DOM Created Elements / Cross Frame Scripting Problem. Firefox 6
Firefox and cross domain ajax calls 5
Architectural advice needed on client-side browser scripting 5
Final chapter of "Learn PHP, MySQL and JavaScript" 3

Members online

No members online now.
Total: 57 (members: 1, guests: 56)
Robots: 391

Forum statistics

Threads
473,982
Messages
2,570,190
Members
46,736
Latest member
zacharyharris

Latest Threads

Top