You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tristan Fairbairn <Tr...@torex.com> on 2002/11/12 10:22:19 UTC

[users@httpd]Cross frame scripting fails with apache...

Hi guys,

I have a problem and I *think* it is OS / browser / web server related.  We are running apache 1.3.27 on AIX 4.3.2

I have created two very simple html files.  test.html contains a frame which has src="test2.html".  test.html tried to access an element of test2.html via the frame.  The code (below) works correctly when the files are stored on my local disk.  However, when I place them on the apache web server, I get an error "Access Denied" from the browser (IE6 Win2000).  I do *not* get this error from ie5.5 sp2 on winnt even when the pages come from the apache server.  The oddest part is that if I "refresh" the page after the error, it works! (and so do all subsequent refreshes until I close and restart the browser).  I have done some testing and this is not a timing issue, the document in the frame IS loaded before the cross frame access is attempted.

Our server runs on a machine without a DNS name, and so the apache server runs with "ServerName localhost".  Is it possible that the browser is not being correctly convinced that the two documents come from the same host (and hence falling foul of the browsers cross frame security policy)?  I have also tried setting the ServerName to be the loop back IP as well as the servers real static IP, but with no success.

Thanks for your time.

Tristan

test.html
=========
<head>
<script>
function doIt() {
  alert(frames["test"].document.body.id);
}
</script>
</head>
<frameset onload="doIt();">
<frame id="test" name="test" src="test2.html"></frame>
</frameset>
</html>

test2.html
==========
<html>
<body id="qwerty">
hello!
</body>
</html>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org