Page 1 of 1

window permission denied

Posted: Mon Apr 28, 2003 3:37 pm
by Heavy
Try this code. It is a so called "frame buster", intended to break any frame this code is loaded into, to prevent loading the page into a faulty window object hierarchy.

Code: Select all

<html>
	<head>
		<script language="JavaScript">
			function InitPage(){
				if (top.frames.length != 0){
					top.document.location='index.php<?php echo Querystr($_GET)?>'
				}
			}
		</script>
	</head>
	<body onload="InitPage()">
	</body>
Then send an email to your hotmail account where you have an "href" that hyperlinks to the page where this code resides.
When I try that. I get the following javascript error when using Mozilla 1.4:

Code: Select all

Error: uncaught exception: Permission denied to get property Function.frames
I realize nothing is wrong, it is just some security setting in the outmost window that prevents my frame to access the top window object.
And that may be OK. I realize the cracking potential of leaving the frame's content exposeable to my child frame.

My problem is:
That code you see at the top of this post is cut from a login page to my Internet application. It is OK as long as I don't refer to the javascript object 'top'. The reeeeally funny thing now is, (listen now), this Internet Explorer 5 and 6 doesn't function when in that frame. HAHAHAHA! Here's my form tag:

Code: Select all

<form action="index.php?WhatNow=<?php echo $_GET['WhatNow'].($_GET['TopicID'] ? '&TopicID='.intval($_GET['TopicID']) : '').($_GET['UserID'] ? '&UserID='.intval($_GET['UserID']) : '')?>" name="Form1" method="POST" enctype="multipart/form-data">
My frame buster CAN'T bust hotmail's frameset. I'm busted. Permission denied. So... Mozilla, Opera and Netscape 7 runs my system perfectly even in that frame that I don't want. But IE!!!! HAHAHA! FAAAAIIILS! HA HA HAA!. The form doesn't post correctly in IE. PHP never gets it. I can't niether reject the login or permit it. The page just reloads when I press the submit button.

IE is so full of crap. Every single day I do some client side scripting that should work with ALL browsers according to documentation and standards that all but one developer team tries to adapt. And Internet Explorer has its quirks and bugs that appear out of nowhere without any easily understandable reasons.

I can work myself around that of course by opening another window or ask the email recepient at the hotmail account to cut and paste the address into a new system or something... I just wanted to post this as 50% of my client side development time is consumed by solving strange behaviour of IE. IE is a joke. .NET is not special! Linux has always been what Windows is now trying to become! :x

Now to the questions:

What kind of code can trigger that javascript security setting that prevents scripting access to the parent frame?

What do YOU think I should try to work around that problem?

Posted: Mon Apr 28, 2003 3:49 pm
by volka
cross-site scripting should be rejected by browsers (but there have been some issues in IE,Mozilla, Opera(?),...).
You might simply place a link
<a href="http://your.serv.er/login.php" target="_top">login</a> to gain control ;)

Posted: Mon Apr 28, 2003 4:58 pm
by Heavy
Today, what I send in my system generated email looks like this:

Code: Select all

<a target="EMAIL_HREF_POPUP_TARGET" href="https://address.to.site/">Label</a>
That shouldn't open it inside a frame in a completely new window! The hotmail system converts the content of that A-tag to something like this:

Code: Select all

<a href="http://64.4.8.250/cgi-bin/linkrd?_lang=SV&lah='lotsofdigits'&lat='lotsofdigits'&hm___action=http%3a%2f%2faddress%2eto%2esite" target="_blank">address.to.site</a>
...which of course does not do as I wanted.

But the questions in the end of the first post in this thread remain unanswered. Anything is welcome.