Within a Cocoa application I have a webview. When Google's personalized home page loads I get the following message caught by the WebViewDelegate:
Unsafe JavaScript attempt to access frame with URL http://www.google.ca/ from frame with URL http://www.ig.gmodules.com/gadgets...
Is there a setting that I set to make this error go away? It doesn't seem to cause any actual problems, but should be resolved.
That sounds like an issue on Google's end, I don't think there's anything you can do there. It means that an iframe with www.ig.gmodules.com loaded is trying to request something from www.google.ca, which according to the browser is a cross-domain request. If Google wanted to allow that they'd need a crossdomain.xml allowing the requests.
Related
I've added Roxy Fileman to my project and tied it in to CKEditor. It's a standard Durandal project with an MVC controller for routing and a web api controller for ajax/json data calls.
A typical working URL for a web api call in my app is http://localhost:63093/api/DurandalApi/getAssessmentQuestionnairePushMenu?id=1
When I try and upload a file from within CKEditor, I get:
Request URL:http://localhost:63093/fileman/index.html?type=image&CKEditor=ckeditor&CKEditorFuncNum=1&langCode=en
Request Method:POST
Status Code:405 Method Not Allowed
Remote Address:[::1]:63093
If, however, I directly go to http://localhost:63093/fileman/index.html?type=image&CKEditor=ckeditor&CKEditorFuncNum=1&langCode=en in my browser, the file upload works perfectly and I can then browse to the image from FileMan inside CKEditor.
The network tab in chrome dev tools indicates that the successful upload is done using this URL: http://localhost:63093/fileman/asp_net/main.ashx?a=UPLOAD which is significantly different to the one that CKEditor attampts to use, but that may be because in the second example, index.html is already loaded?
I'm not completely up to speed with what's going on, but the fact that the same URL works perfectly outside of Durandal if I go directly to the URL seems to indicate the FileMan plugin is working just fine and all permissions are set accordingly. Furthermore the CKEditor config is also fine as it can see the images I upload in the directory, but for some reason it's unable to "post" from within CKEditor (which is embedded in a standard Durandal view).
I'm trying to read up on routing to see if I need to do some kind of exception mapping in Durandal to tell it to let the 3rd party .ashx handler deal with the POST request and I'm not even sure if this problem is indicative of Durandal getting in the way or something else. Any suggestions gratefully received!
Ah. All has become clear. This is a half and half answer really as it doesn't really solve the problem, but equally the problem doesn't really exist!
The issue is that Roxy Fileman does NOT use the CK Editor inbuilt "upload" tab that is in the popup. It expects the user to "browse server" only and use the "add file" link in Roxy instead.
I was confused by the instructions, but now I understand!
I am using Firebug 1.10.2 with Firefox 14.0.1. When showing a web page, the Firebug add-on has this "behavior": Firebug’s “Aborted” message upon Ajax request.
What should I make? Is it so dangerous that I must improve my web application because the presence of some error, or it is a Firebug bug or something else?
Please see the documentation of XHR open() for example here:
https://developer.mozilla.org/en-US/docs/DOM/XMLHttpRequest
Note: Calling this method an already active request (one for which
open()or openRequest()has already been called) is the equivalent of
calling abort().
Just create a new XHR instance whenever you need one. Better yet, use jQuery or other JS library to do AJAX. It should shield you from these intricacies.
I saw this problem when trying to load a JavaScript file using HTTPS, but was serving the site on my local development environment using HTTP. The request to fetch the JavaScript file would fail with the Aborted message in FireBug. Making the requests use the same protocol worked for me.
I am using the CefSharp .Net wrapper for the Chromium Embedded Framework as a simple wrapper around a web application. In my web application, I make a JSONP AJAX call out to another domain to get some data and display it. The URL to that domain is not using SSL. Because of that, when doing this in the Chrome browser, I get the following message, to which the end user would simply click "Load Anyway", allowing the JSONP request to fire and the data to be retrieved...
The app using CefSharp simply starts up the main URL to my web application when it runs. When I try and make the same call in my this application using CefSharp, however, it doesn't get that same prompt. Instead, the AJAX request just times out (the same behavior that happens when the end user never clicks a button in the yellow bar that appears in Chrome).
Does anyone know if CefSharp has a way for me to catch this security message and either...
Prompt the end user to click "Load anyway", similar to the behavior of the Chrome browser, or
Programmatically bypass the security warning altogether?
If not, does the Chromium Framework itself support dealing with this situation?
After posting to CefSharp and CEF projects, it looks like CEF does not currently support this situation. magreenblatt suggested a couple of approaches to add it to CEF. Now I just need to try and find the time to add support for it. :-)
I'm trying to figure out right configuration for cross origin AJAX call in Safari extension injected script.
My configuration in Extension Builder:
Extension Website Access: All
Include Secure Pages: true
Whitelist: -
Blacklist: -
My goal is to get something like Chromes "permissions": "http://mysite.com/*", and be able to pull user configuration from web service.
note: JSONP drops warning, so I would prefer to avoid it.
Any luck with this? I'm having the same problems. Same setup works fine in the Chrome extension, but hitting Access-Contol-Allow-Origin when trying to do it in Safari Extension.
FIXED - UPDATE:
Hey, I figured out what the problem is. So, it looks like you need to do the cross-domain ajax via the background page. What I end up doing is determining all the requests I need to make in the injected script, then message pass the requests to the background page. The background page listens for messages from the injected script, makes the appropriate ajax calls, and then sends the results via a message to the injected script. The injected script is then listening for messages from the background page, once it gets the message(s) with the ajax results, it takes the appropriate action in the page that's being viewed.
I have a page that gathers environment status from a couple of IBM WebSphere servers using iframes similar to this:
<iframe src="http://server:9060/ibm/console/status?text=true&type=server&node=NODE&name=ServerName_server_NODE"></iframe>
and it happily prints out "Started" or "Unavailable" etc. But if I load the same url in a normal browser sometimes it works, sometimes it does not? Some of them are showing a login page, while others are simply return HTTP code 500.
So whats the difference between loading the page through an iframe vs through a browser?
I can tell you that the iframe solution works no matter which machine I am doing it on, so I do not belive it has anything to do with the user whos opening the page. And before you ask, why not keep the solution that works, well its because it takes a long time to open the page with the iframes vs a page where everything is requested through ajax.
Update: Using jQuery to perform the ajax call returns "error" and "undefined" for the servers that I can't see in a normal browser.
One difference is an iframe has to render the view while XHR would not.
An iframe is essentially the same as opening with the browser. In both cases the browsers credentials are used, so there will be no difference between the two.
Secondly, loading something in an iframe should take the same amount of time as requesting it through XHR, since in both cases the browser makes an HTTP request and waits for the response. Although I should add that an iframe will take time to render the content onto the page. However if you plan on displaying it with ajax anyways, an iframe/xhr solution will be more or less the same.
In case of ajax request same origin policy (which restricts cross domain call) comes into picture. So you can't make cross domain call using xhr. Alternative for same is embed flex swf file in your page as activex control and make flex call through javascript and then flex is responsible to make cross domain call (flex can if targeted domain allows cross domain using crossdomain.xml) and renders result using javascript again.