httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tristan Fairbairn" <Tristan.Fairba...@torex.com>
Subject [users@httpd]Cross frame scripting fails with apache...
Date Tue, 12 Nov 2002 09:22:19 GMT
Hi guys,

I have a problem and I *think* it is OS / browser / web server related.  We are running apache
1.3.27 on AIX 4.3.2

I have created two very simple html files.  test.html contains a frame which has src="test2.html".
 test.html tried to access an element of test2.html via the frame.  The code (below) works
correctly when the files are stored on my local disk.  However, when I place them on the apache
web server, I get an error "Access Denied" from the browser (IE6 Win2000).  I do *not* get
this error from ie5.5 sp2 on winnt even when the pages come from the apache server.  The oddest
part is that if I "refresh" the page after the error, it works! (and so do all subsequent
refreshes until I close and restart the browser).  I have done some testing and this is not
a timing issue, the document in the frame IS loaded before the cross frame access is attempted.

Our server runs on a machine without a DNS name, and so the apache server runs with "ServerName
localhost".  Is it possible that the browser is not being correctly convinced that the two
documents come from the same host (and hence falling foul of the browsers cross frame security
policy)?  I have also tried setting the ServerName to be the loop back IP as well as the servers
real static IP, but with no success.

Thanks for your time.

Tristan

test.html
=========
<head>
<script>
function doIt() {
  alert(frames["test"].document.body.id);
}
</script>
</head>
<frameset onload="doIt();">
<frame id="test" name="test" src="test2.html"></frame>
</frameset>
</html>

test2.html
==========
<html>
<body id="qwerty">
hello!
</body>
</html>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message