RE: (OT) Object tag - text/html in IE Cross Domain
Jim,
This is done for security reasons. Imagine someone creating his own
scripting to access Javascript methods which return sensitive
information (bankaccount).
There are some things one can do, like P3P tags, but essentially it
comes down to someone modifying the cross domain scripting settings in
the browser.
For IE, this is down by a checkbox, and for FireFox you need to
uncomment some lines and invoke the PrivilegeManager to enable
UniversalBrowserRead.
if (typeof netscape != 'undefined' typeof netscape.security !=
'undefined'){
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead
');
}
Sometimes it can be a pain in the ass, but I am glad the security is
there.
Micha Schopman
Project Manager
Modern Media, Databankweg 12 M, 3821 AL Amersfoort
Tel 033-4535377, Fax 033-4535388
KvK Amersfoort 39081679, Rabo 39.48.05.380
-
Modern Media, Making You Interact Smarter. Onze oplossingen verbeteren
de interactie met uw doelgroep.
Wilt u meer omzet, lagere kosten of een beter service niveau? Voor meer
informatie zie www.modernmedia.nl
-
-Original Message-
From: Jim Davis [mailto:[EMAIL PROTECTED]
Sent: dinsdag 24 mei 2005 3:19
To: CF-Talk
Subject: RE: (OT) Object tag - text/html in IE Cross Domain
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Monday, May 23, 2005 9:25 PM
To: CF-Talk
Subject: RE: (OT) Object tag - text/html in IE Cross Domain
ROFL.
It's similar to an iframe in the way it works (and that's how I ended
up
doing it) but there is one small difference - an iframe's navigation
is
self-contained (i.e. links open inside the iframe) whereas the object
tag's links (by default) target the browser containing the tag like
any
other. This difference may be more of a security hassle, I guess.
Luckily in this instance the code I included had no links so the end
result was anlomst identical using the iframe.
The only reason I'm being such a prick about this is that I've been
through
it.
Our company was bought out and we wanted to combine our websites -
content
from both servers in the same frame. But we had all sorts of cross-site
scripting issues.
I spent some time and figured out an inelegant, but perfectly usable
system
for passing information across sites using the status bar. This was
because
it turned out that browsers from different domains could still both read
and
write to the status bar (at the time it worked in everything but IE 5.5
-
although oddly it did work in IE 6).
The code essentially created asynchronous messaging queues between two
sites
- it was actually pretty slick. (I've still got it if anybody wants to
take
a look.) It allowed scripts from different domains to share text data.
(As an aside I still think that's something that should be allowed via
some
specialized code. There should be some standardized location -
something
like a public object which is accessible to all scripts in the
instance -
that way different sites that choose to share data would have the
ability
too, but the default behavior would be safe.)
I made the mistake of posting a question about how to fix the IE 5.5
issue
to a public forum which started a whole tirade about cross-site browser
security. Several people sent messages to the various vendors - now my
code
doesn't work in any of the new browsers.
Because of that I'm just overly wary of taking advantage of anything
that
even has shades of that. I just don't want to get used to something
only to
have the capability disabled just when I've gotten used to relying on
it.
;^)
Jim Davis
~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207510
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: (OT) Object tag - text/html in IE Cross Domain
-Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 12:44 PM To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain It works in NS 7 and Opera 7.5 too. What are they're published security parameters for this? Again - I'm not saying that it doesn't work in other browsers. I'm saying that it's potentially a security issue and may go away - I would write to the browser vendors and ask about it point blank: is this a supported feature or an oversight that you'll be eliminating. Jim Davis ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207493 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: (OT) Object tag - text/html in IE Cross Domain
Damn - I'll go to the grave still typing They're when I mean Their. ;^) Jim Davis -Original Message- From: Jim Davis [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 8:26 PM To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 12:44 PM To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain It works in NS 7 and Opera 7.5 too. What are they're published security parameters for this? Again - I'm not saying that it doesn't work in other browsers. I'm saying that it's potentially a security issue and may go away - I would write to the browser vendors and ask about it point blank: is this a supported feature or an oversight that you'll be eliminating. Jim Davis ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207494 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: (OT) Object tag - text/html in IE Cross Domain
ROFL. It's similar to an iframe in the way it works (and that's how I ended up doing it) but there is one small difference - an iframe's navigation is self-contained (i.e. links open inside the iframe) whereas the object tag's links (by default) target the browser containing the tag like any other. This difference may be more of a security hassle, I guess. Luckily in this instance the code I included had no links so the end result was anlomst identical using the iframe. -Original Message- From: Jim Davis [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 May 2005 8:37 To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain Damn - I'll go to the grave still typing They're when I mean Their. ;^) Jim Davis -Original Message- From: Jim Davis [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 8:26 PM To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 12:44 PM To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain It works in NS 7 and Opera 7.5 too. What are they're published security parameters for this? Again - I'm not saying that it doesn't work in other browsers. I'm saying that it's potentially a security issue and may go away - I would write to the browser vendors and ask about it point blank: is this a supported feature or an oversight that you'll be eliminating. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207498 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: (OT) Object tag - text/html in IE Cross Domain
-Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 9:25 PM To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain ROFL. It's similar to an iframe in the way it works (and that's how I ended up doing it) but there is one small difference - an iframe's navigation is self-contained (i.e. links open inside the iframe) whereas the object tag's links (by default) target the browser containing the tag like any other. This difference may be more of a security hassle, I guess. Luckily in this instance the code I included had no links so the end result was anlomst identical using the iframe. The only reason I'm being such a prick about this is that I've been through it. Our company was bought out and we wanted to combine our websites - content from both servers in the same frame. But we had all sorts of cross-site scripting issues. I spent some time and figured out an inelegant, but perfectly usable system for passing information across sites using the status bar. This was because it turned out that browsers from different domains could still both read and write to the status bar (at the time it worked in everything but IE 5.5 - although oddly it did work in IE 6). The code essentially created asynchronous messaging queues between two sites - it was actually pretty slick. (I've still got it if anybody wants to take a look.) It allowed scripts from different domains to share text data. (As an aside I still think that's something that should be allowed via some specialized code. There should be some standardized location - something like a public object which is accessible to all scripts in the instance - that way different sites that choose to share data would have the ability too, but the default behavior would be safe.) I made the mistake of posting a question about how to fix the IE 5.5 issue to a public forum which started a whole tirade about cross-site browser security. Several people sent messages to the various vendors - now my code doesn't work in any of the new browsers. Because of that I'm just overly wary of taking advantage of anything that even has shades of that. I just don't want to get used to something only to have the capability disabled just when I've gotten used to relying on it. ;^) Jim Davis ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207502 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: (OT) Object tag - text/html in IE Cross Domain
That's all fair comment. Perhaps IE limited this functionality first because of the long history of security problems with IE (ok now I'm in for it, fireproof suit at the ready). Regardless, the iframe is doing the job and if I want to open a link from it I'll target a new window. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207505 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: (OT) Object tag - text/html in IE Cross Domain
-Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 11:48 AM To: CF-Talk Subject: (OT) Object tag - text/html in IE Cross Domain I was playing with client-side includes as I recall them mentioned in CT-Talk recently (although I'm stuffed if I can find the threads in the archives). I discovered that the following: object type=text/html data=http://whatever.com/somefile.html; Sounds pretty clearly like a security restriction to me. Cross site scripting is a major security problem - the code that you've shown, if it worked, would open the door on any number of phishing scams. What's FireFox's security model in this regard - have they published one? Personally I wouldn't get too attached to the functionality if I were you - my guess is support for this in FF is more a bug than a feature unless they've specifically addressed the issue in a published security model. Jim Davis ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207390 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: (OT) Object tag - text/html in IE Cross Domain
It works in NS 7 and Opera 7.5 too. -Original Message- From: Jim Davis [mailto:[EMAIL PROTECTED] Sent: Monday, 23 May 2005 12:09 To: CF-Talk Subject: RE: (OT) Object tag - text/html in IE Cross Domain -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 11:48 AM To: CF-Talk Subject: (OT) Object tag - text/html in IE Cross Domain I was playing with client-side includes as I recall them mentioned in CT-Talk recently (although I'm stuffed if I can find the threads in the archives). I discovered that the following: object type=text/html data=http://whatever.com/somefile.html; Sounds pretty clearly like a security restriction to me. Cross site scripting is a major security problem - the code that you've shown, if it worked, would open the door on any number of phishing scams. What's FireFox's security model in this regard - have they published one? Personally I wouldn't get too attached to the functionality if I were you - my guess is support for this in FF is more a bug than a feature unless they've specifically addressed the issue in a published security model. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207391 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
