I have a client side html page with an iframe that is pointed to a website as its source. The client side page has a button with javascript to access a div element inside the iframe. When I try running it, I get an ' Access is Denied' error. Here's the client side page:

<html>
<head>
<script type="text/javascript">
  function find() {
    var f = window.frames['MyFrame']
    alert(f.document.getElementById('mainContainerHeading').id);
    return false;
  }
</script>
</head>
<body>
  <input id="Button1" type="button" value="Find" onclick="javascript:return find();" />
  <iframe name="MyFrame" id="MyFrame" src="http://localhost/MyApp" height="100%" width="100%" />
</body>
</html>

I've verified that 'mainContainerHeading' exists. Is it possible to do this by adjusting permissions somehow or is it not allowed at all?

This sounds like a security feature of the browser.  You can not modify the source of an IFrame, if the content is coming from a different domain or security context than your own.  Is that what you're attempting to do?  If so, you can create a server-side proxy that will simply request the external page, and serve it up locally. 

-Tony

Dear,

i think you are accessing the iframe in a wrong way

in your javascript, replace var f = window.frames['MyFrame']
by var f = window.parent.frames['MyFrame']

and i think i will work fine

dont forget the DOM structure

Happy Coding

 

alert(document.getElementById("MyFrame").getElementById("mainContainerHeading").id);

as stated this only works in the same domain. Sub domains can be seen as seperate domains.

 Eric

Sorry Haissam but that isn't the situation. The code lives in the parent and tries to access the iframe's content. Sorry if that wasn't clear to you.

Tony and Eric, I don't want to modify the source at all. I just want to read the value from the source. From what I've seen, that is not allowed across domains and I won't be able to do what I want. I want the parent (local computer html doc) to access different network files based on the content of the iframe. I can't do it directly because of security issues and was trying this hack / work-around instead.

Can you confirm that even reading the html content in the iframe is disallowed when it crosses domains?

Thanks for you responses.

JavaScript can not read across domains, that is a security feature or it could read your bank account info, mail, etc.

 You can write a serverside page that will fetch the page and do a screenscrape to get the data.

 
Eric
 

I can't use serverside since the purpose is for the client page to access a network folder as a file explorer. Server side pages can't do that because of security issues.

While I understand the general purpose of the javascript security, I have to say that in my situation, I fail to see the security hole. A page on the client that uses javascript to read the html source of an iframe that is on your local browser isn't any less secure than the user doing it themselves. I guess the danger lies in the fact that javascript / html / browser isn't smart enough to recognize that it lives on the local machine and should be allowed to read client side html in a child frame.

Thank you for the info.

JavaScript really only cares about the origin of the IFRAME. So if the origin of the IFRAME points to something other than the script's domain the security is enabled. However imagine that JavaScript was allowed to read the network folder... If your website was hacked by a cross site scripting attack (XSS) the attacker would easily be able to gain access to the network folder information, exposing anything about your network to a hacker is a major security risk.

Thank you for the response SuperGhost but XSS doesn't apply here. There is no website. I'm talking about a client side HTML file. If the hacker has access to it at that point, he's already in! As you stated, only the origin seems to matter. Too bad JS isn't smart enough to realize there's nothing wrong with reading information the user is already reading.

Yes XSS does apply here. If a person finds a way to inject code in the page, he could serve up documents and password files. If you want a whole big explaination I will give it to you. I do talks on this stuff, it is amazing how a simple link can cause havoc on your system.

 If you really want to do this and you want to make it easy for you, you CAN do it, but I highly do not recommend it. You can change YOUR computer settings to allow cross domain access. MAKE SURE you only change it for your local intranet or even better only change it for sites that are approved.

 (Your serverside code should be able to read write if you set up your accounts correctly. Give a .NET account access to the folders)

Eric

I still don't see the XSS danger for my situation. I'm talking about an HTML file residing on the person's computer which is not set up as a webserver. There should be no more chance of XSS than for any other document on that person's computer (word file, excel file, text file, access database, etc.) If a person can modify this html file, then they are already inside the network and accessing the person's computer. That's a network security issue, not an XSS issue.

I do understand the dangers of XSS and am careful to keep event validation enabled and validate user input to prevent xss and sql injection. However, I consider myself only well-informed about the dangers. Therefore, I would like as full an explanation as you have time or interest in providing. 

Lastly, if you can explain how to change my computer settings to allow cross-domain access or point me to relevant documentation on how to do so, I would appreciate it. I don't know that I am going to go forward with this but I would like to investigate it some more. I've already informed my client that this can't be done so I'm not on the hook for it but I would like to add it to my bag of tricks in case it does ever become necessary.

Thank you for your time and patience with this thread. I appreciate your comments. -- ZLA

Under the security tab in IE 

Set the page as a trusted site

Change the trusted site settings with the custom button.

In the list of radio buttons, there should be a heading that says allow cross domain scripting or access or something like that. Set that to enabled.

There might be some other things to look at under the Scripting heading in there.

 Right now I am trying to hunt down a bug in my app that is cauing havoc on production so I will try to write out an explaination after I solve my little issue.

Eric

Your firewall should not be your last and only line of defence.  Perhaps you have a disgruntled employee who wants to lure you into giving him all of your passwords.  Or perhaps a hacker has managed to get through your firewall, but can not gain access to your protected files - do you really want to give him this option? 

Here's a scenario for you to ponder.  You receive an email from a friend with a useful html page.  Just save the page to your disk, and you can read emails from yahoo, gmail, etc. all from the same page.  You figure - wow, that's a great idea!  However, the page also contains a tiny weeny bit of code that accesses the hidden fields on each of those pages which stores your password.  It then uses an http post to send that information to someone who doesn't belong having that info.  Do you see where XSS becomes an issue here?  It's not just about breaching your network.  It's about multi-levels of security - not putting all of your eggs in one basket.

hth,

-Tony

Thanks Eric.