Welcome to WebmasterWorld Guest from 3.92.92.168

Forum Moderators: open

Message Too Old, No Replies

Don't put my page in your pop-up window

pop up preventing

     
11:47 pm on Oct 29, 2003 (gmt 0)

New User

10+ Year Member

joined:Oct 29, 2003
posts:5
votes: 0


There seems to be a growing trend where other sites open a pop-up window without the navigation bar, just so they can feature some content without giving credit to the publisher.

I wondered if there is a way to code my page to sniff out the window opener value and close the window if its not an address from my own domain. In other words, I want the window to automatically close if www.badguys.com puts my page in their pop-up window.

A quick search of the web reveals tons of examples for braking out of other site's frames, but breaking out of another site's pop-up seems more elusive.

11:55 pm on Oct 29, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


In the page that might be used as a popup...

<script type="text/javascript"> 
<!--
var loc = null;
if (window.opener) {
loc = window.opener.location.href;
}
if (loc.search(/badguys\.com/i) > -1) {
self.close();
}
//-->
</script>

Or reverse the logic...

... 
if ((loc) && (loc.search(/yoursite\.com/i) == -1)) {
self.close();
}
...

Or you could also make it generic...

... 
if (window.opener) {
self.close();
}
...

Jordan

3:31 pm on Oct 30, 2003 (gmt 0)

New User

10+ Year Member

joined:Oct 29, 2003
posts:5
votes: 0


Thats works when I launch the page from the desktop, but once I published it to the web, it doesn't seem to do the trick.

See [camaro.com...]

In this test, camaro.com is the "bad guy" trying to pop-up the page at [rpmworld.com...]

Using the reverse logic you described, the pop up should only allow a window.opener from the rpmworld.com domain, but it works anyway. Did I do something wrong?

Since I will only know the good sites and not the bad guys, I have to filter out everything but my own domain. I also want to be sure the page appears in a pop-up window at my site, so if there is no window.opener value the page should redirect (because someone is hard linking to it, and we don't want that).

10:08 pm on Oct 30, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


Doh, I just realized that there is an XSSS (Cross-Site Script Security) issue here...since window.opener is from a different domain you can't directly check it's location.href object in an unsigned script (which is why it only worked locally), so testme.html throws an exception...

Error: uncaught exception: Permission denied to get property Location.href

But...since you only want to check that the site is in the same domain as your (i.e., is a good site), you can use this behavior to your advantage...

<script type="text/javascript">  
<!--
var loc = null;
try {
if (window.opener) {
loc = window.opener.location.href;
}
if ((loc) && (loc.search(/rpmworld\.com/i) == -1)) {
self.close();
}
}
catch(e) {
if(e.indexOf("Permission denied to get property") > -1) {
self.close();
}
}
//-->
</script>

You should (theoretically) only reach the exception if the site that opened the window is from a different domain -- in which case the exception is silently caught and the the window is closed.

I think that will work.

Jordan

10:39 pm on Oct 30, 2003 (gmt 0)

New User

10+ Year Member

joined:Oct 29, 2003
posts:5
votes: 0


That sure sounded right, but I modified the code accordingly, and it doesn't work.
10:48 pm on Oct 30, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


It now works in Mozilla, and Opera, but not IE...lol. I forgot that when IE catch()'s an exception it doesn't return the exception description, it only returns the exception object...so the indexOf() condition in the catch block will always be false for IE.

The way the script is set up, it shouldn't be catching any other errors, so it should be safe to change the catch block to...

catch(e) {  
self.close();
}

...and just cut out the check...this way it should work in IE as well. At least, I think so...but of course, no guarentees, lol. :)

Jordan

11:42 pm on Oct 30, 2003 (gmt 0)

New User

10+ Year Member

joined:Oct 29, 2003
posts:5
votes: 0


Thank you for sticking with it and solving that one Jordan, I really appreciate it!

I added one more line to your code that stops hard linking as well. I don't know if this is good Javascript coding or not, but it seems to do the trick:

<script type="text/javascript">
<!--
var loc = null;
try {
if (window.opener) {
loc = window.opener.location.href;
}
if ((loc) && (loc.search(/rpmworld\.com/i) == -1)) {
self.close();
}
if (loc == null){
if(document.referrer.indexOf("http://www.rpmworld.com")==-1) location = 'index.html';
}
}
catch(e) {
self.close();
}
//-->
</script>

4:53 am on Oct 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


Glad it got working. :)

Also, you'll have for pardon my rudeness, I don't know where my manners went! Welcome to WebmasterWorld!

The script looks fine, but it can be optimized a bit further and cleaned up a bit (not that there was anything wrong with your formatting, I'm just a symmetry-freak...everything has to match or I'll break out in a cold sweat ;p ).

<script type="text/javascript"> 
<!--
var loc = null;

try {
if (window.opener) {
// only need to catch this assignment's failure
loc = window.opener.location.href;
}
}
catch() {
// assignment failed; assuming cross-domain popup
self.close();
}

if (loc) { // assignment worked, loc is not null
// assuming same-domain popup, do nothing, clean up
delete loc;
}

// check if it's a cross-domain reference
if (document.referrer.search(/rpmworld\.com/i) == -1) {
// ...if so, only give it the front page
window.location.href = 'http://rpmworld.com/index.html';
}

//-->
</script>

Couple points of explanation:

The indexOf() method looks for a string as a substring of another string -- it returns the position in the search string of the substring, or -1 if it's not found.

The search() method looks for a Regular Expression (RegExp) pattern in a string using an internal RegExp match operation -- it returns the position in the search string of the RegExp pattern match, or -1 if it's not found.

A 'literal' RegExp pattern is delimited by // and the pattern goes between with any operators after (operators are i for case insensative and g for global), any special chars should be escaped (\). So the RegExp '/rpmworld\.com/i', matches 'rpmworld.com', case insensatively.

Happy coding. :)

Jordan

2:56 pm on Oct 31, 2003 (gmt 0)

New User

10+ Year Member

joined:Oct 29, 2003
posts:5
votes: 0


That looks real nice, thanks for the extra effort.