I'm trying to execute an HTTP GET from my website to another website that is brought in via iframe.
On Firefox, you can see in the source that the correct url is in the iframe src along with it's correct parameters-- and it works.
On IE, you can see in the source that the correct url is in the iframe src along with it's correct parameters-- and it doesn't work...
Is there something about IE that doesn't let you pass parameters through an iframe in the querystring?
I've tried refreshing the iframe in IE, I've tried refreshing my page & the iframe in IE, and I've tried copying the url and re-pasting it into the iframe src (forcing it to refresh as if I just entered it into the address bar for that iframe window). Still no luck!
Anyone know why this is happening, or have any suggestions to try to get around this?
Edit: I cannot give a link to this because the site requires a password and login credentials to both our site and our vendor's site. Even though I could make a test account on our site, it would not do any good for the testing process because I cannot do the same for the vendor site. As for the code, all it's doing is creating the src from the backend code on page load and setting the src attribute from the back end...
//Backend code to set src
mainIframe.Attributes["src"] = srcWeJustCreated;
//Front end iframe code
<iframe id="mainIframe" runat="server" />
Edit: Problem was never solved. Answer auto accepted because the bounty expired. I will re-ask this question with more info and a link to the page when our site is closer to going live.
Thanks,
Matt
By the default security settings in IE query parameters are blocked in Iframes. On the security tab under internet options set your security level to low. If this fixes your problem then you know that is your issue. If the site is for external customers then expecting them to turn down their security settings is probably unreasonable, so you may have to find a work around.
Let's say your site is www.acme.com and the iframe source is at www.myvendor.com.
IIRC, most domain-level security settings don't care about the hostname, so add a DNS CNAME to your zone file for myvendor.acme.com, pointed back to www.myvendor.com. Then, in your IFRAME, set the source using your hostname alias.
Another solution might be to have your Javascript set the src to a redirector script on your own server (and, thus, within your domain). Your script would then simply redirect the IFRAME to the "correct" URL with the same parameters.
If it suits you, you can communicate between sites with fragment identifiers. You can find an article here: http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html
What BYK said. I think what's happening is you are GETting a URL that is too large for IE to handle. I notice you are trying to send variable named src, which is probably very long, over 4k. I ran into this problem before, and this was my code. Notice the comment about IE. Also notice it causes a problem with Firefox then, which is addressed in another comment.
var autoSaveFrame = window.frames['autosave'];
// try to create a temp form object to submit via post, as sending the browser to a very very long URL causes problems for the server and in IE with GET requests.
var host = document.location.host;
var protocol = document.location.protocol;
// Create a form
var f = autoSaveFrame.document.createElement("form");
// Add it to the document body
autoSaveFrame.document.body.appendChild(f);
// Add action and method attributes
f.action = protocol + '//' + host + "/autosave.php"; // firefox requires a COMPLETE url for some reason! Less a cryptic error results!
f.method = "POST"
var postInput = autoSaveFrame.document.createElement('input');
postInput.type = 'text'
postInput.name = 'post';
postInput.value = post;
f.appendChild(postInput);
//alert(f.elements['post'].value.length);
// Call the form's submit method
f.submit();
Based on Mike's answer, the easiest solution in your case would be to use "parameter hiding" to convert all GET parameters into a single URL.
The most scalable way would be for each 'folder' in the URL to consist of the parameter, then a comma, then the value. For example you would use these URLs in your app:
http://example.com/app/param,value/otherparam,othervalue
http://example.com/app/param,value/thirdparam,value3
Which would be the equivalent of these:
http://example.com/app?param=value&otherparam=othervalue
http://example.com/app?param=value&thirdparam=value3
This is pretty easy on Apache with .htaccess, but it looks like you're using IIS so I'll leave it up to you to research the exact implementation.
EDIT: just came back to this and realised it wouldn't be possible for you to implement the above on a different domain if you don't own it :p However, you can do it server-side like this:
Set up the above parameter-hiding on your own server as a special script (might not be necessary if IE doesn't mind GET from the same server).
In Javascript, build the static-looking URL from the various parameters.
Have the script on your server use the parameters and read the external URL and output it, i.e. get the content server-side. This question may help you with that.
So your iframe URL would be:
http://yoursite.com/app/param,value/otherparam,othervalue
And that page would read and display the URL:
http://externalsite.com/app?param=value&otherparam=othervalue
Try using an indirect method. Create a FORM. Set its action parameter to the base url you want to navigate. Set its method to POST. Set its target to your iframe and then create the necessary parameters as hidden inputs. Finally, submit the form. It should work since it works with POST.
Related
I consider myself new to this, so I apologize if I am "off" in anyway.
I need to somehow get a HTML page to load in wordpress as if it was "part of the WP" page.
I have used an iFrame and this works fine (If there's a better solution I am all eyes).
The problem is that I need the HTML page to not be able to be accessed directly by the public. The iFrame however will load as normal.
How would this work? I am a beginner in PHP and somewhat know how .htaccess works. If I am given code please explain where to add it.
You could add some me to the page in your iframe, to detect that it is loaded in the frame and if not redirect to the parent page
if(window.self !== window.top) location.href = ‘http://...’
Here is the example image url I found on Steam.
https://steamcommunity-a.akamaihd.net/public/shared/images/header/globalheader_logo.png?t=962016
The image url gives the same result with or without the ?t=962016. What is it called? And what does it do?
?t=962016
This is a technique to disable browser caching, browser sees it as a new url, and fetches the resource again from web server. The resource can be image, css file, js file etc. This is the most common use case, but can be also used differently by the web server.
There is another use case also. I have done this one of my project.
I have a made all requests to *.jpg handle by a php script.
Eg: mysite.com/user/avatar.jpg?id=100
avatar.jpg is actually a php script which takes the query param (in this case the id 100) and returns the correspond user's avatar (user with id 100). Browser see this as an image. Another advantage is we can disable hot linking directly to this image, as the script can check if the request is originated from the same domain.
IMO there is 2 possibilities
- They put that parameter to avoid the image to be cached, the value of t is random in this case
- The image can be generated by a script, in this case the value of t is the id of the image.
Inside my _layout view I have added the following link , to refresh the current page as part my breadcrumb bar:
#(aoutput == "Index" ? "Home" : aoutput)
The above is working well on my development environment , but I am not sure If using the Request.Url.AbsoulteUri is the correct way to reference the current page URL ?
AbsoluteUri includes the scheme (such as http), the host, the port, the path, query string data and the fragment. As far as I know the fragment will not be included in the current URL because it is not sent with the request (that is, it's handled by the browser client-side).
This should be fine to use and is unlikely to cause you issues. Just be aware that query string data is included, which means that if you had a (poorly-designed) data manipulation system such as /Users/Index?action=deleteMostRecentUser then the user might accidently delete users because the URI would include the action.
Alternatives are
Absolute Path: /Home/Index
Path & Query: /Home/Index?query=keyword
You can use it as you mentioned.
Better way you make a separate partial view to implement breadcrumb.
And pass wanted model from Controller side. (Or in ViewBag)
The main benefit is you'll get is better control over Logic also flexible for future changes.
Hope helps.
In ASP having this URL:
http://www.example.com?foo=1&bar=2
Request.QueryString["bar"] returns NULL
The URL is a map area "href" link which I have assigned like so:
PolygonHotSpot p = new PolygonHotSpot();
p.NavigateUrl = http://www.example.com?foo=1&bar=2
ASP automatically HTML encodes the URL for the href, but it is not HTML decoding it again in the request therefore query string "bar" is not found.
Now I am using IIS URL Rewrite 2 module. Maybe this module is causing the problem? What can I do to solve it? I have tried using URL rewrite rules but couldn't figure our how or if it is the proper way.
It's probably not a good idea, but you could use Request.ServerVariables("QUERY_STRING") (or Request.ServerVariables["QUERY_STRING"] - your tags say ASP classic but your code looks like C#?) to get at the entire thing and then process it yourself.
I think there must be something deeper wrong though. A link can be encoded to be sent to the browser - the browser does the work of decoding it before navigating to the link. You can demonstrate this with a simple <a href="/test?a=1&b=2"> in a test script - the browser ends up correctly at /test?a=1&b=2. Testing it with a polygonal image map shows the same behaviour.
If you can show me what is in your actual HTML output for the image map I might be able to help more.
I recently asked a question about LAMP stack not allowing posting of <script> tag via textarea, the request is killed by the apache i guess as the $_POST, $_GET and $_REQUEST fields are all empty.
I was just wondering how does wordpress allow users to add widgets, updated template files and create pages using a textarea control that allows <script> tag.
UPDATE
I've created a pastebin entry for the form here: http://pastebin.com/1Jaz9rRz
Basically it is an auto generated form, I've copy pasted from the source code.
UPDATE
I've moved the code for testing to the server here: http://www.007softwares.com/testing.php
The form is being posted to itself, i've echoed the $_REQUEST array to see what was posted. You can see when you just submit the form, fields are visible and when you type script tag the error page appears. Hope this helps.
This is quite certainly some misguided security mechanism either in your browser, or (more likely) on the server.
As said, check Suhosin out using phpinfo():
<?php phpinfo(); ?>
You should see some mention of the word "Suhosin" or "Hardened PHP" in the resulting output.
Also I wouldn't rule out mod_security - the errors you say you got when adding the lines disabling it in .htaccess might have some other reason. It could for example be configured that it's impossible to turn off through .htaccess.
Ask your web host whether they have anything enabled security-wise that might be causing this.
The LAMP stack doesn't care what text is submitted via a TEXTAREA. The script/app that receives the form input may have some logic in it which kills the process if it sees a SCRIPT tag but in general you can submit whatever text you want.
Your phpinfo() says that string.strip_tags is registered as a stream filter. This might be causing your issue.
Also, your filter extension may be configured to strip although that isn't as likely.
When the user submits a < p > tag it works as expected. When the user submits a < script > tag a 404 is returned. This leads me to believe apache is using mod_security with a configuration similar to:
SecFilterDefaultAction "deny,log,status:404"
SecFilter "<script"