PDA

View Full Version : iframeTagProxy ?



king7532
17 Jul 2007, 3:50 AM
Hey,

For my web app, I need the ability to get HTML pages from other servers. With Ext's built-in HttpProxy the HTML pages must be on the same domain where my web app is located. Obviously this will not work me, but using an iframe tag you can give it any URL and it will get that page.

Before I actually write any code, I was wondering if anyone else had the same problem and already wrote some code similar to what I would call an "iframeTagProxy" object?

If you would be interested in such an object post some of your requirements/needs so I can make this as useful as possible.

Benjamin

galdaka
17 Jul 2007, 7:57 AM
Scripttagproxy support cross domain request

JeffHowden
17 Jul 2007, 7:18 PM
You won't be able to read the src of an iframe that's got a document loaded from another domain. You'll run up against built-in browser domain security restrictions.

DigitalSkyline
17 Jul 2007, 11:07 PM
Right, in order to do this you would need to scrape the data using your server and a XMLHttpRequest or equivalent as a proxy.

galdaka
18 Jul 2007, 3:10 AM
ScripTagProxy: http://extjs.com/deploy/ext/docs/output/Ext.data.ScriptTagProxy.html

Other discussions:

http://extjs.com/forum/showthread.php?t=6823&highlight=scriptagproxy

king7532
18 Jul 2007, 11:32 AM
Check out this research paper presented at WWW 2007

http://www2007.org/papers/paper801.pdf

This paper shows the technique of nested iframes, to enable secure cross-domain communication. The technique relies on document.domain, and offers details on iframe security in the various browsers.

I tried Googling for that javascript lirbary to no avail. I have emailed the authors and am waiting for a reply.

There is enough detailed information in the paper to code this library in javascript. If I don't hear back from the author's I might get started coding it myself because its a really awesome technique for secure cross-domain communication using iframes

Benjamin

JeffHowden
18 Jul 2007, 2:43 PM
There's nothing particularly special or groundbreaking about the multi-iframe technique detailed in that paper. It still relies on all parties properly setting the document.domain to the same domain value. This simply isn't doable without nearly having source control of both ends of the transaction.

The only reason for the multi-iframe approach is to keep the untrusted page from accessing things at the top-level that it shouldn't have access to. However, as both parties have to set the same document.domain setting, how untrusted is the other party really?

For truly untrusted sites where you can't set document.domain, you're stuck with on solution.