External Frame Breaking

Forum Moderators: open

Message Too Old, No Replies

External Frame Breaking

A problem I need help with, concerning frame breaking

qianxing

3:57 am on Dec 14, 2000 (gmt 0)

In Javascript, I'm try to break a frame, across domains, from the outside, but it's not working. When I use:

top.location = parent.frames["frame1"].location;

it throws me a security violation in MSIE and just ignores it in Netscape.

Does anyone know why this is and what I can do to get around it?

Thanks ahead of time for any help :)

-qianxing

tedster

4:46 am on Dec 14, 2000 (gmt 0)

hello qianxing,

Check this discussion [webmasterworld.com] for another way to break out of any frames imposed on your page from an outside domain.

As I understand it, frames[] is an array, and the arguments are numerical, not alpha. However, even if you use frames[1], your code will still run into trouble. It's better and simpler to use another approach.

What you need to say is "If this page isn't the top, make it the top." It doesn't matter what document is where in the frames array.

qianxing

7:47 am on Dec 14, 2000 (gmt 0)

It's not a problem with syntax or anything like that. When I tried this all on the same domain, it worked fine. It's just when I try to get the location attribute on the window object (in this case a frame) on another domain, it throws this security violation.

tedster

8:13 am on Dec 14, 2000 (gmt 0)

I understand how that could happen. Access to objects defined on another server raises all kinds of security issues.

Maybe I don't understand what you are trying to do. Is there a problem with the code I linked you to? It doesn't need to address the other domain at all.

if (parent != self) top.location.replace("yourpage.html");

qianxing

3:31 pm on Dec 14, 2000 (gmt 0)

The problem is that I don't have access to the code of the page in the frame I am trying bring to the top. I'm having to do this externally, from another frame.

tedster

10:46 pm on Dec 14, 2000 (gmt 0)

qianxing,

You are up against the "same origin" security restrictions written into JavaScript. Frame busting scripts are normally written into the code of the page that you want to make the top location. Imposing that kind of change through JavaScript code from a different server just won't happen -- if it could, all kinds of mischief might follow, such as reading properties of other windows behind firewalls and so on.

To access properties in this way, you need to use a signed script with UniversalBrowserRead privileges, and even then it wouldn't be automatic, but would require explicit permission every time it is accessed.

However, I assume you have some relationship to the domain that is framing the original document. If so, there are other ways to accomplish your purpose. The code on the page you want to take to the top can make its properties available to others through a user defined variable, i.e.

document.mylocation=document.location

Then your code can access the mylocation property without a security violation. I've never tried this myself, but this is the way it's supposed to work in theory.

qianxing

7:28 am on Dec 15, 2000 (gmt 0)

Yeah, I've come to the conclusion that I can't do it with javascript without being able to add something to the other site. I'll just have to see if I can cut through the layers with this and get something done with that.

Thanks for all of your help, Tedster :)

-qianxing