Jarek Foksa wrote:
I have an app that consist from a top level document and an iframe inside it:
- I have full control over the top level document as it will be loaded
from localhost
- I have no control over the content of the iframe, it could be any
random website from the web
- Scripts from the top level document must be able to access and
modify DOM and CSSOM of the iframe
- Scripts from the iframe must not be able to access DOM, CSSOM or any
other data from the top level document
I have already found several obscure ways to disable same origin policy:
- load the iframe content from a proxy server so that it appears to be
from the same origin as top level document
- start the browser with '--disable-web-security' (works for Chrome and Safari)
- compile webkit-cocoa app with setWebSecurityEnabled:false
The problem with those workarounds is that they enable the
communication between top level document and iframe in both ways,
which would be very dangerous in my case.
How can I access DOM and CSSOM of an iframe without giving the iframe
access to my top level document?
On Windows you could consider to use an HTML application, see
http://msdn.microsoft.com/en-us/library/ms536471(v=vs.85).aspx, where
you then set the application attribute of any untrusted iframe to "no"
(respectively where you don't set that attribute as "no" is the default).
That way you can use script in the HTML application to control and
access the iframe contents but the iframe's content is sandboxed.
--
Martin Honnen --- MVP Data Platform Development
http://msmvps.com/blogs/martin_honnen/
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
