iframe - Firefox without same origin policy

  • Knuwgljung

    I have an increasingly frustrating problem with the firefox implementation of the same origin policy.

    I am developing an integrated system with touch screen support, and we have the user option of loading web pages in iframes in several locations on the screen. The web pages can be any kind of webpages from any kind of domain and location (google, yahoo, intranet pages etc) and herein lies my problem.

    I need to be able to add an onclick event to the iframe, that gives me the id of the iframe (or some other unique identifier) as a response. This tells me that activity (web browsing) is underway on the iframe and that the iframe should not be reloaded (the pages are set for a fixed automatic update interval that should be interrupted on activity.

    I have read just about everything google returns me (but I would love to be disproven in this matter) and I have found this to be the best (among a lot of other) solution:

    <iframe src='http://google.com' id='iframe1' onload='netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite"); this.contentWindow.document.addEventListener("click", function(event) {alert(this.id);}, false)'></iframe>

    This just gives me the regular permission denied for http://localhost to get property Window.document from http://google.com

    I know why I get this error message, and my question is simple. How do I remove it?

    It is an integrated system, I can compile firefox from source, I can edit the source code if needed, I can change prefs.js etc. but I need to use firefox (I know all other sensible web browsers has a nice command line switch to turn it off...) but we have a (quite) tight integration with the firefox platform that would be hard to remove.

    We currently use Firefox v.3.5.16 (I know it's EOL, we are going to upgrade it some other time) on a Debian Squeeze platform. If needed I can upgrade to a newer Firefox version, but from what I have found it seems to fare even worse in this matter.

    TL;DR Help me to shut of same origin policy, in any way possible on Firefox 3.5.16 for an integrated platform that needs to alter code through cross domain iframes.

  • Answers
  • Knuwgljung

    I feel quite stupid.

    It works when you use UniversalXPConnect instead of UniversalBrowserWrite.

    For example: netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");

    Also, you can not use this.id or this.parentNode.id, that still gives a (different) access error. To defeat that problem just store it in a temporary variable first:

    onload='var tempstuff = this.id; this.contentWindow.document.addEventListener("click", function(event) {alert(tempstuff);}, false)'

  • Related Question

    security - Firefox makes links non-clickable
  • Mehper C. Palavuzlar

    I am using some online reporting pages from my company's web site. After logging in the related pages, I cannot click on the links that produce the reports. The links seem just as plain texts, and non-clickable. When I open the same pages in IE8, there is no problem. The links work and reports are generated. I've looked at the security settings from options menu, but found nothing. How can I make Firefox trust this site and work properly?

    Note: The web pages are in asp format, and the links are supposed to open the reports in Crystal Report Viewer. There are also some Flash graphs in some pages, and they don't work either.

    Source code of one frame:

    &lt;SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript"&gt;
        function go_there(url)
            window.open(url + '&prompt0=1&prompt1=' +  [..]);
    &lt;td style="cursor:hand; [..]"
      &lt;img [..] src="[..]">&amp;nbsp;&amp;nbsp;Envanter inceleme linki (zmo_bayi_dd)

    After logging into the site, Error Console displays the following errors:




    After opening the problematic page, the following errors are displayed:



    Finally, when I click on the links (although they don't look like links), these error messages are created:


  • Related Answers
  • Arjan
    style="cursor:hand; [..]"

    The standards for CSS cursor do not define "hand", and hence that value is only understood by some browsers (like Internet Explorer, and in Safari if no strict DOCTYPE is set). Firefox doesn't support it.

    So: bad design by the creators of the site. However, the CSS only defines how things are shown; clicking in your source code sample should still work, even though the mouse pointer might not indicate something is clickable!

    function go_there(url)
          + '&prompt0=1&prompt1='
          + parent.detail.ust.form1.donem.value, [..]
    Error: parent.detail.ust.form1 is undefined  
    Error: parent.ust.form1 is undefined

    Too bad, this is caused by the way the web site tries to get information from the other frames. Maybe the things named "detail" and "ust" just don't exist and Internet Explorer ignores that. Or maybe this is just non-standard, IE-only. Bad implementation.

    (I'm sure someone could create a Greasemonkey script to replace the CSS hand on the fly, as a workaround. Some script might also fix the bad JavaScript, but as IE works I guess that's a bit too much.)

  • Phoshi

    Take a look at the Source (Right click -> View Source)

    Search for the text of one of the links, and see if it has <a href='url'>The text goes here</a> sort of tagging. If it doesn't, firefox is not the problem here.

  • Rich Bradshaw

    I'd guess that the built in popup blocker is being fired. This is a pretty weird way to make a link, and I wouldn't be surprised if it's blocked.

    Fx should show a message saying that the popup has been blocked, but you may have clicked a "never show this again" type message at some point... Check the settings to see if you can reset warnings.

  • Chris Andrè Dale

    Im guessing this is a caching problem? How does the URL look like when your at a page where links doesnt work? Firefox will automatically turn the URL into wyciwyg://yourUrlHere.com

    You can read more about What You Cache Is What You Get and find out how it may affect you.