Q1079 Security violation when accessing info from other frame

irt.org | Knowledge Base | JavaScript | NotABug | Q1079 [ previous next ]

Q1079 Security violation when accessing info from other frame

Symptom: Trying to get the url or title of page loaded in the other frame results in many errors.

Affects: All browsers version 3 and up.

Reason: Access to all information about documents from other domains is restricted on purpose. Imagine someone setting up a page with stock information and links to your online stockexchange. Using hidden frames or tiny windows, a script could monitor links and keystrokes and perhaps grab sensitive information A more benign intrusion could be to monitor your browsing session, compiling information about your favorite sites and sell that info to ad agencies.

Workaround: Netscape will allow signed scripts to request access.

Here is an example of a request that needs signing if it is to run from the web:

<HTML>
<HEAD>
<SCRIPT>
function showUrl() {
   netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); 
   alert(top.frames[1].location.href); 
   netscape.security.PrivilegeManager.disablePrivilege("UniversalBrowserRead"); 
}
</SCRIPT>
</HEAD>
<FRAMESET COLS="10%,*" onLoad="showUrl()">
<FRAME SRC="javascript:' '">
<FRAME SRC="http://www.netscape.com">
</FRAMESET>
</HTML>

More info about signing can be found at http://developer.netscape.com/library/documentation/signedobj/signtool/index.htm

What's New

How to do the impossible with Google Gears

Out and About

Last Updated: 30th March 2008. Maintained by: Martin Webb and Michel Plungjan
irt.org liability, trademark, document use, privacy statement and software licensing rules apply.