javascript - Why can a child redirect a parent frame? -


i have @ these 2 questions , don't understand.

redirect parent window iframe action

how prevent iframe redirecting top-level window

on 1 hand appears can redirect parent iframe , on other cannot? when try it, have no problem redirecting parent frame i'm curious in why cannot redirect parent frame unless on same domain. can redirect without having frame on same domain.

as stated previously, redirect parent iframe. 1 thing bear in mind both website, , site contained in iframe need on same domain work, or you'll access denied exception.

is browser related?

edit

i have 2 pages , works shouldn't :

on domain 1

<html>   <body>     <iframe src="http://domain2.fr"></iframe>   </body> </html>

on domain 2

<html>   <body>     <script type="text/javascript">       window.top.location.href = "http://google.fr";     </script>   </body> </html>

the answer why possible simple. window.location part of web api, not same javascript core. it's part of dom interface, hence it's gouverned w3c, not ecma. that's why allows manipulate top-window's properties.

strictly speaking, js isn't capable of doing this, because lacks io capabilities, makes language extremely portable. that's why browser implementations require dom api, query dom, , request repaints or interact client. dom, though, does need io, because renders, , reads actual ui. people in ecmascript committee rather have seen access window.top heavily restricted, if not removed together, xss vulnerability reasons. sadly w3c agreed disagree, , implemented window.top reference anyway.
who's right or wrong in case? don't know, it's easy redirect client malicious site within iframe, unsafe. frustrating have iframe, , not having access top window, mean not being able interact client easily. that's not point here. bottom line is, can change top window properties, , can useful. think mashups. pose lot of challenges in terms of xss safety, open lot of new , exciting possibilities webaps. plug of dangerous xss vulnerabilities, take @ adsafe, created douglas crockford. google has similar lib, forgot name atm...

the same origin policy doesn't apply here, either. changing url in address bar in browser window, you're changing window.top.location.href property, too. if there same-origin restrictions there, internet dead. you're not sending request location, you're not getting data third-party resource , loading in page, you're redirecting browser location, closes , clears dom.


Comments

Post a Comment

Popular posts from this blog

basic authentication with http post params android -

i doing basic authentication passing username , password , using basicnamevaluepair sending post params response service. my method: public stringbuilder callservicehttppost(string username, string password, string type) { // create new httpclient , post header httpclient httpclient = new defaulthttpclient(); httppost httppost = new httppost(webservice + type); httpresponse response = null; stringbuilder total = new stringbuilder(); try { url url = new url(webservice + type); /*string base64encodedcredentials = base64.encodetostring((username + ":" + password).getbytes(), base64.url_safe | base64.no_wrap);*/ string base64encodedcredentials = "basic " + base64.encodetostring( (username + ":" + password).getbytes(), base64.no_wrap); httppost.setheader("auth...
Read more

vb.net - Virtual Keyboard commands -

i wondering difference between virtual these keyboard commands is: keyeventf_extendedkey , keyeventf_keyup is. everywhere have looked gives me description based off integers , not want know each of them does. you've tagged question vb.net, these have nothing @ vb.net. they're constants defined in windows header files, use win32 api functions. as far difference, can't tell looking @ values. individual values not particularly important, that's why named identifiers used. what's important used , documentation functions tells mean. the first one, keyeventf_extendedkey , used keybdinput structure (which used along e.g. sendinput function) pass information synthesized keyboard input. if flag used, means scan code should interpreted extended key. technically, means scan code preceded prefix byte value 224 (&he0 in hexadecimal notation). the second one, keyeventf_keyup , 1 of flags available use structure. means key being released (going up)...
Read more

css - Firefox for ubuntu renders wrong colors -

Image
i've got following problem: i'm developing website, while testing around i've noticed firefox , chromium display css bar in different colors. when switched between several machine come conclusion firefox ubuntu problem. on other devices i've tested website. it's fine. the differences between chrome , firefox rendering: firefox: chromium: note: firefox ubuntu problem. does knows why , came solution? https://bugzilla.mozilla.org/show_bug.cgi?id=655637 bug 629312 - firefox displays wrong colors on image (only linux) open about:config , rechange gfx.color_management.mode 2 0.
Read more