Results 1 to 2 of 2
  1. #1
    Power Member
    Join Date
    Jul 2006
    Location
    Cesano Maderno, Italy
    Posts
    784

    Post Opera --> Cross-frame scripting / frameset

    Opera has a strict security behavior dealing with cross-frame scripting through a frameset.

    Even if some browsers has "not-so-strict" rules, we can say that a way to make "cross-frame scripting" compatible with most browsers, is to follow mozilla's rules that IMO makes a lot of sense.

    Those rules don't specify what to do when page A and page B access each other through page C (where page C is a simple frameset containing 2 frames: PAGE_A and PAGE_B).

    If page A and page B (coming from the same server or from two different servers within the same domain) set theirs domain to a suffix of it (eg app.lightstreamer.com->lightstreamer.com), and try to access the other page via the frames array of theirs parent (eg parent.frames["PAGE_A"]) then the access is succesfull with most browsers but not with Opera.

    To let Page A and Page B interact (within Opera) you should set the same domain also on Page C.

    We can't consider this as an issue but as an effort on keeping the browser secure as possibile.

    Here is a simple test case - to test click TEST on one or both frames, an alert saying "OK" is the sign that the cross-frame access has been succesfull:
    Shows the exception.
    Sets the domain on the frameset and then works.

  2. #2
    Power Member
    Join Date
    Jul 2006
    Location
    Cesano Maderno, Italy
    Posts
    784
    Oooops...sorry I forgot to mention how this is related to Lightstreamer

    If your Push-pages live inside a frameset, so that Page A is a Push-page that creates the engine with the createEngine method and Page B is another Push-page which wants to get data from the Engine created by Page A, and you have deployed your application in the canonical way (i.e. the web resources coming from a web server and the pushed data coming from Lightstreamer Server) then you should set the domain "by hand" on the frameset file or your app will not work with Opera browsers.

    Example frameset:
    Code html:
    1. <html>
    2.     <script>
    3.        document.domain = "lightstreamer.com";
    4.     </script>
    5.     <frameset rows="50%,*">
    6.         <frame name="PAGE_A" src="pageA.html">
    7.         <frame name="PAGE_B" src="pageB.html">
    8.     </frameset>
    9. </html>
    Page A's javascript snippet
    Code javascript:
    1. var lsPage = new PushPage();
    2. lsPage.context.setDomain("lightstreamer.com");
    3. ...
    4. lsPage.createEngine("MyApplication","/LS/","SHARE_SESSION");
    Page B's javascript snippet
    Code javascript:
    1. var lsPage = new PushPage();
    2. lsPage.context.setDomain("lightstreamer.com");
    3. ...
    4. lsPage.seekEngine("MyApplication", self.parent.frames.PAGE_A);

 

 

Similar Threads

  1. CrossDomain Scripting issue - IE6
    By lightstreamDev in forum Client APIs
    Replies: 1
    Last Post: October 27th, 2010, 10:00 AM
  2. Replies: 0
    Last Post: February 17th, 2010, 06:10 PM
  3. Replies: 5
    Last Post: February 4th, 2010, 10:55 AM
  4. Replies: 0
    Last Post: November 9th, 2006, 05:12 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 03:50 PM.