Does anyone know how to detect if the srcdoc attribute of iFrame is supported by the browser without relaying on version checks, etc?
This should do the trick in JavaScript executed in a browser:
!!("srcdoc" in document.createElement("iframe"))
Source https://github.com/jugglinmike/srcdoc-polyfill/blob/master/srcdoc-polyfill.js#L19
Related
I am using the javascript to popup a calendar when user click on calendar icon.
So here I am using like ../calendar/calendar.html?datetime= to trigger the calendar.html.
But when I try to test it in IE its working but not in Firefox(It's not getting the correct url path). How to solve this issue. Please let me know.
Thanks
According to the spec, the href attribute of the <base> element must be an absolute URI. I am guessing you are also using a relative path here, which IE (among other browsers) deems acceptable.
I have a website that uses IFrame in a page that loads other pages based on server side logic. So, if I do a View source, I would see something like this:
<iframe src="DeterminedOnServerSide.aspx" id="myFrame">
</iframe>
My question is - Is there any way, an attacker can change the src attribute to point other users to a malicious website considering that the src is determined on the server side?
Yes or no. You have not specified how "DeterminedOnServerSide.aspx" is determined. If your code for this consists of DeterminedOnServerSide = Server.Request["frame"] then it can clearly be 'hacked'. If you use a method that ensures only valid urls are chosen, then it is not vulnerable.
No, not unless they've compromised your server and can access and modify those source files. And if that's the case, changing of the 'src' attribute in the iframe is the least of your worries.
Yes. A XSS attack has the capability of changing the src of an iFrame.
Check it out: http://research.zscaler.com/2009/12/xss-embedded-iframes.html
The page you "include" using the IFRAME can navigate to a new page, changing the source.
Any user of the site can change the src value of the IFrame, using Developer tools like Firebug and IE Developer Tools
Any sucsessful man in the middle attack can change all your html source including the src attribute. If the attacker is in control of a proxy or network between your customer and your server they can change any of your html including the src attribute.
Any sucsessful hack into your server can change all you sourcecode and change the attribute.
What Hacker are you thinking of? you should only iframe to people/sites you trust, as this is a common way for cross site scripting attacks.
The only ways to change the src attribute of your iframe (or anything in your website) are:
The webpage which load the iframe has an XSS vulnerability and the attacker use the DOM to change it.
He (or she) get access to your source code. Then the change of a iframe attribute is your less important concern ;-)
Is there any way to open the file explorer setting the filtering options like a desktop application does?, and I don't want to validate the file after is selected, I want my users to view only valid files throught filtering them before.
NO, this is not possible using the asp:FileUpload Control.
How to filter files in file upload control
seems like there is a way using JavaScript.
There is an "accept" attribute which can be set for the upload control however as discussed here, many browsers don't impliment this attribute.
Your best bet is to use Javascript as astander recommends so that you can check the extension of the file being uploaded before it hits the server.
You'll also want to do a check on the server side since client-side validation cannot be relied on for this type of thing.
No, for web applications there is no way yet (Dec 2009) to set the File Selector filtering. According to the INPUT tag (used by the UploadFile control to render) documentation it should be possible by adding the 'accept' attribute and setting the file mime type(s)... so bad that any major browser supports the accept attribute of input tags.
The best workaround is to validate the files on the client and server side.
The web dev toolbar for Firefox is quite an impressive tool.
What I am completely clueless about is how does this tool get the css stylesheet file of a site? This is hosted on a host which is secure etc. I am completely stumped.
I must be thinking about this in all the wrong way.
Thanks
The client (in this case Firefox) has to download the CSS file in order to render the page correctly. The plugin (in this case Firebug) simply requests the proper URL and the browser it gets it--most likely from the cache. There is no real mystery here.
In every HTML file, there's a link to the CSS stylesheet, or else the browser wouldn't know where to find it, thus losing the ability to render the page correctly.
It's in the form of <link rel="stylesheet" type="text/css" href="theme.css">,
I'd like to add that regardless of whether the host is 'secure' or not, it still is presenting the file to the client.
Unless, of course, you're looking at a XML file. Then you need to consult the XSL which'll tell you where the stylesheet is.
I'm trying to write a Greasemonkey script that will convert all "Play" links on a page to embedded audio (using the <embed> tag).
When I use a link that I get from a GMail attachment, it works like a charm.
When I use a link from another site (Digium Switchvox), the HTTP response header has ContentType set to "application/octet-stream" instead of "audio/x-wav" (like GMail's link). This confuses Firefox, which decides that I don't have the right plugin installed. If I set the type attribute in the <embed> tag to "audio/x-wav", Firefox uses Quicktime to load the file. Quicktime gets confused, however, and won't play the file.
Does anyone know of a clever way to solve this problem?
have you tried overrideMimeType?
overrideMimeType
String (Compatibility: 0.6.8+) Optional.
A MIME type to specify with the request (E.G. "text/html; charset=ISO-8859-1").