This is a follow up to my previous question: Problem passing parameters via Iframe in IE. Which was never solved.
Here's the core of it:
I'm trying to execute an HTTP GET from
my website to another website that is
brought in via iframe.
On Firefox, you can see in the source
that the correct url is in the iframe
src along with it's correct
parameters-- and it works.
On IE, you can see in the source that
the correct url is in the iframe src
along with it's correct parameters--
and it doesn't work...
Is there something about IE that
doesn't let you pass parameters
through an iframe in the querystring?
I've tried refreshing the iframe in
IE, I've tried refreshing my page &
the iframe in IE, and I've tried
copying the url and re-pasting it into
the iframe src (forcing it to refresh
as if I just entered it into the
address bar for that iframe window).
Still no luck!
Anyone know why this is happening, or
have any suggestions to try to get
around this?
As for the code, all it's doing is creating
the src from the backend code on page
load and setting the src attribute
from the back end...
//Backend code to set src
mainIframe.Attributes["src"] = srcWeJustCreated;
//Front end iframe code
<iframe id="mainIframe" runat="server" />
I've made a temporary account for you to login and see exactly what I mean. That way you can use firebug or any of your other debugging techniques to figure out why this isn't working rather than having me try to explain what's going on.
EDIT: Changed the account credentials. Please use this one instead
Username: matt
Password: globalbuying
Please follow this link to get to the login page. One you login with the above credentials it will take you to the main backend page. Click the image on the left that says "Vacations", that will take to you a page with the iframe and will execute the Http Get from there.
If you need more details on what's going on in the behind code, etc., let me know and I'll post them.
Thanks,
Matt
After working my way through the HTTP requests with Fiddler2, comparing different browsers, I found that IE makes the request just fine, but fails to set any cookies in the iframe.
I also noticed that if I open that framed page by itself it does work. Even more so, after logging out again there, the iframed version works too. That's because it then already has a session cookie and the iframe no longer needs to set it.
It turns out that this is a known security restriction: IE blocks cookies in iframes. But this can be overcome with the use of the Platform for Privacy Preferences (P3P).
Here are a few links that should help you fix the problem. Starting off with another (answered) question on StackOverflow:
Cookie blocked/not saved in IFRAME in Internet Explorer
Privacy in Internet Explorer 6
IE Blocking iFrame Cookies
The example page you provided is working for me in IE8. The iframe is not as tall as in chrome, but it does have the correct page in it.
As an aside, please note that passing logon credentials via the query string is extremely unsecure and open to various exploits.
It seems that the ampersands in the iframe's URL are HTML-encoded (&).
I think that might cause IE to choke on identifying the param names. Does the problem still occur if you use plain ampersands in the URL?
If the encoding on the src attribute is happening implicitly, you might want to consider using a Literal control for testing purposes and set its Text property to the entire iframe tag to avoid any unwanted encoding.
Related
I had a video that stopped being controllable when I appended a safety feature: I added
"&origin=http://mydomain.com" to the attributes of the iframe that had the video. (By not controllable I mean that the youtube api stopped working). So I decided to use the "sandbox" feature, which is also for security.
Unfortunately, it works too well - it blocks content too.
So if all I want to do is prevent the iframe from causing mischief, but I also want to play third party videos, should I use:
sandbox=""
or
sandbox="allow-same-origin"
I don't quite understand it from the W3schools description.
Thanks,
You should be able to set the origin= parameter on the URL that you include as the src= for your iframe tag.
One thing to try is URL escaping the :// characters in the parameter's value, e.g. origin=http%3A%2F%2F//mydomain.com. Does that help? If so, we'll get the example updated to reflect the need to escape.
If that doesn't help, could you please provide the full iframe tag, including all the attributes and their values, that you're using?
origin only works on html pages, not on asp.net pages. I tested it.
I'm running in to a couple of issues and wondered if anyone had any insight. I'm using the latest php-sdk I'm developing a canvas app that has a number of different steps. These steps are spread across multiple pages. Now when I first enter the app everything seems to work fine. The access token is there and I can call the api functions. On the second page (which is linked to in the same iframe) I get OAuth errors. Now if I use this on the 2nd page:
$me = $facebook->getUser();
var_dump($me);
it returns the correct user id, but I still get errors when trying to use an api query (specifically a FQL one in this instance)
Now, bear in mind these links are within the iframe so I was assuming the signed_request is getting lost somewhere, I know facebook normally issues this via a POST. If I set all my links to target="_parent" with a url such as http://apps.facebook.com/myapp/page2.php then everything works fine. Facebook clearly posts the correct info this time. Subsequently, then when I use links that only redirect the iframe it seems to work fine again (implying a cookie is being set somewhere).
Now I've seen other apps that don't have a target="_parent" that seem to work correctly, only ever loading the iframe on subsequent clicks and not the full facebook site. So I can only assume they are storing this info somewhere. I've tried to inspect these apps using httpfox but I can't see anything obvious. Does anyone have any links for best practice with multiple page apps? I know I can get around this using full urls and target="_blank" but I would like to know what's going on here. I've looked through the developer docs and the canvas page examples, but there's nothing obvious to me.
Any help or info would be appreciated
Many Thanks
There is some ways to achieve this
using Facebook JavaScript SDK (which will set cookie for you, so PHP-SDK can rely on it)
issuing POST request to your pages including signed_request from initial page loaded in canvas
I have a .net site that runs in an iFrame. In order to track various things on the page I use a cookie. I'm using a p3p header to ensure IE can read the cookie.
However it doesn't always seem to work. If I follow the steps below I can recreate an issue.
Delete all cookies from IE
Browse to iFrame containing my pages
Cookie is read OK.
Close browser
Navigate back to iFrame
Cookie not read
Refresh the page (F5)
Cookie is read OK
Repeat from step 4. ad infinitum...
Is this a caching issue in the parent page or the iFramed page?
If it is a caching issue how can I ensure IE doesn't cache this specific page and instead reloads the page along with the cookie?
Needless to say this doesn't happen in Chrome or Firefox.
Any light that could be shed on this will be much appreciated.
S.
This is a caching issue with the iFrame. The way to get around it is to add a unique query string parameter to the url in the iFrame.
Something like this will work:
<iframe src="http://www.MyAspNetApplication.com?q=<% =DateTime.Now.Ticks %>"></iframe>
Where q is the unique query string param.
I am working on a project in drupal in which i have an iframe loaded in another website.
I need to get the url from the address bar.
e.g., lets say i have a website embedded in the iframe as example.com...and another site embedding this iframe has the domain as abcd.com
So, the url that gets formed on accessing any content in the iframe would be like..
abcd.com/#/
I need to get this URL in the iframe.
Please help me resolving this problem. I am tryin to write a custom module for this but dunno how to proceed.
You cannot access the URL of an iframe from the outside. Think about potential XSS attacks that could occur from that:
http://yourbankingsite/account?sessid=2239872379092FEAACC2390823
Of course, this is a bad way to store the session id, but there are quite a few (and popular) sites that do this. If you had access to the iframe URL, a malicious website could be nothing but said iframe and a script to harvest the session ID.
In your iframe you could add a variable to the iframe url and use drupal 'current_path' to get the url of the iframe's parent. Then you could retrieve this variable from your iframe page(and make sure you validate it before you use it). i.e.
www.iframsite.com/iframepage?from=<?php print current_path(); ?>
I'm using the Facebook plugin called Activity Feed.
The URL of this plugin is:
http://developers.facebook.com/docs/reference/plugins/activity
Now, I'm having a problem.
When I get the code for using this plugin it comes inside an IFrame, and has a not standard attribute for Internet Explorer browsers, or at least that what I read, it's the allowTransparency="true" attribute.
When I validate my web site with this component it shows an error, there is no attribute "allowTransparency".
http://validator.w3.org/check?uri=http%3A%2F%2Fwww.ollivanders.co%2F&charset=%28detect+automatically%29&doctype=Inline&group=0
How can I solve it?
Thanks!!
I ran into the same thing. I deleted that attribute and the iframe worked just fine without it. Cosmetically it didn't affect any of my target browsers so I can live with it.
I suppose that attribute could be added via javascript if you really need it (don't know how to do this though)