It would be best if I could have this working on all platforms. So far I have found two more elegant solutions:
- use Mozilla Chromeless: http://mozilla.github.com/chromeless/#guide/embedding-web-content - use Webkit-(cocoa/gtk/qt) wrapper with setAllowUniversalAccessFromFileURLs option set to true On Fri, Jul 29, 2011 at 1:44 PM, Martin Honnen <[email protected]> wrote: > Jarek Foksa wrote: > >> I have an app that consist from a top level document and an iframe inside >> it: >> - I have full control over the top level document as it will be loaded >> from localhost >> - I have no control over the content of the iframe, it could be any >> random website from the web >> - Scripts from the top level document must be able to access and >> modify DOM and CSSOM of the iframe >> - Scripts from the iframe must not be able to access DOM, CSSOM or any >> other data from the top level document >> >> I have already found several obscure ways to disable same origin policy: >> - load the iframe content from a proxy server so that it appears to be >> from the same origin as top level document >> - start the browser with '--disable-web-security' (works for Chrome and >> Safari) >> - compile webkit-cocoa app with setWebSecurityEnabled:false >> >> The problem with those workarounds is that they enable the >> communication between top level document and iframe in both ways, >> which would be very dangerous in my case. >> >> How can I access DOM and CSSOM of an iframe without giving the iframe >> access to my top level document? > > On Windows you could consider to use an HTML application, see > http://msdn.microsoft.com/en-us/library/ms536471(v=vs.85).aspx, where you > then set the application attribute of any untrusted iframe to "no" > (respectively where you don't set that attribute as "no" is the default). > That way you can use script in the HTML application to control and access > the iframe contents but the iframe's content is sandboxed. > > > > > > -- > > Martin Honnen --- MVP Data Platform Development > http://msmvps.com/blogs/martin_honnen/ > > -- > To view archived discussions from the original JSMentors Mailman list: > http://www.mail-archive.com/[email protected]/ > > To search via a non-Google archive, visit here: > http://www.mail-archive.com/[email protected]/ > > To unsubscribe from this group, send email to > [email protected] > -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
