iframe security issue

[krital]

Hi there,

we are developing a widget for wrt 1.1 and we have the following problem:

The widget creates an iframe using the dom model that has a network source address. While this loads there is a script tag that calls a function defined withing the widget local content. when this happens we get the following javascript error:

Error: Unsafe Javascript attempt to access frame with URL file:///C:/..... from frame with URL http://xxx.x..x.x.x ...

Is there a way around this ? We are thinking of wrapping a lot of our code with an iframe in the widget html...

Thanks,

Alex Kritikos
my-Channels

[isalento]

Hello Alex,

What browser are you using?
I would suspect that this is some kind of security mechanism that prevents accessing the resources loaded from different domain, like the cross site xhr prevention.

Have you tested if this works on real device?

Ps. About iFrames and widgets.
http://wiki.forum.nokia.com/index.ph...ts_and_iframes

-Ilkka

[krital]

Hello Ilkka,

thanks for your response. This happens on the N97 emulator when running a widget. I have not tested yet on a real device but the only 'browser' involved is the widget runtime. Its not really the cross site XHR but javascript cross domain which seems disabled for widgets (or they wouldnt be able to access the network).

As i said before this is caused by the following:

1. Local widget creates a hidden iFrame using javascript / dom model. The src attribute of the iframe is set to an HTTP url.
2. All of the above works however the content of the iframe contains a <script> tag that calls a javascript function defined by the widget.
3. The error occurs

Any help would be appreciated.

Alex

Hello Alex,

What browser are you using?
I would suspect that this is some kind of security mechanism that prevents accessing the resources loaded from different domain, like the cross site xhr prevention.

Have you tested if this works on real device?

Ps. About iFrames and widgets.
http://wiki.forum.nokia.com/index.ph...ts_and_iframes

-Ilkka

[jappit]

Hi krital,

as Ilkka said, this most probably is a security-related issue. Never tried with iFrames within WRT widgets, but the behavior you describe is exactly what happens when you try to access the content of an iFrame coming from a different domain.

Anyway, a test on a real device would be probably useful.

As a possible workaround: you could try loading the remote resource with a classic XMLHttpRequest object, and then manually setting the iFrame content with the responseText retrieved from that request. Not sure if it can properly work, but a test would clarify this

Hope it helps,
Pit

[krital]

Hi Pit,

thanks for your response. i will describe once again the situation as i tend to believe its a simulator or WRT bug.(BTW this design was done to specifically work around this issue, not how i started).

I have a WRT widget with a single index.html file. In there i define an IFrame which has a src attribute http://192.168.1.1/index_widget.html. The index_widget.html content loads and the scripts start running ok initially. At some point, the script creates another iframe using the dom api and sets its src attribute to another url on the same server (192.168.1.1). The content of that child iframe has a script tag that does window.parent.xxx where xxx is defined in index_widget.html. This should normally work because both iframes are loaded from the same domain, but instead it gives me :

Error: Unsafe Javascript attempt to access frame with URL http://192.168.1.1/index_widget.html from frame with URL http://192.168.1.1/x/x/x

Now if i visit http://192.168.1.1/index_widget.html or even if i put the widget index.html on the web server this works on safari, firefox, IE as well as the n97 SDK browser!

Thats why i believe it is a bug, i will try on a real N97 soon but does anyone have any ideas? Is there a newer version of the SDK than 1.0 ? any patches? bugfixes?

Thanks in advance,

Alex Kritikos
my-Channels

Hi krital,

as Ilkka said, this most probably is a security-related issue. Never tried with iFrames within WRT widgets, but the behavior you describe is exactly what happens when you try to access the content of an iFrame coming from a different domain.

Anyway, a test on a real device would be probably useful.

As a possible workaround: you could try loading the remote resource with a classic XMLHttpRequest object, and then manually setting the iFrame content with the responseText retrieved from that request. Not sure if it can properly work, but a test would clarify this

Hope it helps,
Pit