1) I have an external iframe, and I wondered how Selenium or Firebug managed to overcome the Same Origin Policy to retrieve source code (or even execute some JavaScript)
As for Firebug, I think this has to do with cd(frames[0]) command. In Selenium, you can access content in the iframe with an xpath link, but I have no idea how it internally works.
2) Is it possible to use similar methods outside of a Firefox plugin?
3) What about IE? (or Chrome, but it is way less important)
Thank you :-)
The way that Selenium and Firebug get around it is buy running in the browser chrome rather than in the JavaScript sandbox. For example, calling *firefox calls the slightly less secure version of the browser, by less secure I mean it is running in more of the browser chrome than your average user, and can do the relevant calls.
Addons and Extensions to Firefox run in this context too so can access things in the same way.
Related
I am developing a website, which is currently running on my test server (IIS7). I can access the web site from any browser (including different versions of Firefox), but one specific Firefox does this:
http://www.mysite.com/www.mysite.com
I have no clue what to look for… Has anyone had such a problem?
You must have to have
link
or
link
but not
link
Some browsers do "smart" thing to correct these urls, but it's bad practice.
I am well aware of cross-origin restrictions when it comes to browsers, but what I don't get is how Firebug can get and display the HTML from an iframe with this restriction in place. Is there something plugins have access to that lets it get around this?
Plugins have access to quite a bit. They're not considered cross-origin, they're considered a part of your browser.
I'm developing a screen scraping robot that uses Watir (ruby) to crawl specific web searches.
Watir is used as the search results are delivered in pages, only available via AJAX requests.
My issue is now that to perform a new search, the browser has to be shut down in order for the search session to be cleared - otherwise the initial search overrule the change in the GET parameters.
Is it somehow possible to force Firefox to clear sessions on every request made?
Additionally, does anyone have experience solving these kind of issues via Watir?
If the session is maintained via cookies in your firefox browser then it's possible.
All you have to remove the cookies from your firefox cookies repository before it starts.
Firefox stores its cookies at (as of in my ubuntu and mac)
~/.mozilla/firefox/12wwonrk.default/cookies.sqlite [in ubuntu]
or
~/Library/Application Support/Firefox/Profiles/eox4ghka.default/cookies.sqlite [in mac]
(prior Firefox 3 it was cookies.txt instead sqlite)
If you can truncate the sqlite (or the txt) then the cookies will no longer be there.
As you are running Watir you are most probably using ruby. So, if you can run these commands through system or %x[] (or compatible commands through sqlite gem/lib) before Watir::Browser.new statement, hopefully you'll be done.
./sqlite3 path/to/cookies.sqlite
DELETE FROM moz_cookies;
.quit
If you want to use Watir, you can mess with profiles as described at http://watirwebdriver.com/. Most browsers seem to get their own profile for each new instance by default.
I am working on a Firefox extension that will involve ajax calls to domains that would normally fail due to the same-origin policy set by Firefox (and most modern browsers).
I was wondering if there is a way to either turn off the same-origin restriction (in about:config, perhaps) or if there was a standard lite-browser that developers turn to for this.
I really would like to avoid using any blackhat tools, if possible. Not because I'm against them, I just don't want to add another learning curve to the process.
I can use curl in PHP to confirm that the requests work, but I want to get started on writing the js that the addon will actually use, so I need a client that will execute js.
I also tried spidermonkey, but since I'm doing the ajax with jquery, it threw a fit at all of the browser-based default variables.
So, short version: is there a reliable browser/client for cross site scripting that isn't primarily a hacker app? Or can I just turn off same-domain policy in Firefox?
Use GreaseMonkey with GM_xmlhttpRequest
Did you look into HTTP Access Control
Right now i'm building a firefox plugin that duplicates some functionality on my website. It takes in an email address and then returns information to the user. The easiest way to do this in the plugin is to use an Iframe and render that super simple form on my website. All of this works great, but to make the plugin really useful, i would like the plugin to have access to the information that the iframe renders, so it can use it in the current window that the user is in.
Is it possible to pass information back through an Iframe in this manner? I know there are quite a few domain access restrictions with Iframes, so any help or insight is appreciated!!
I've done this two ways.
If the iframe is on the same domain as the parent website, you can just, in javascript, access window.parent.
If it isn't, however...I've done a dirty trick. I'll share it here, though, as it may help.
We created a page on the other domain, which would call to window.parent.parent. We put that in a hidden iframe inside the iframed page, and send it a querystring argument or two. It's not pretty, but it gets around cross-domain scripting problems.
This basically means that you have this sort of thing:
admin.example.com
content.example.com - iframe
admin.example.com?contentid=350 - hidden iframe that makes a window.parent.parent call.
Is the point of this whole exercise functional testing of your website? If so, instead of your custom Firefox plugin, consider using Selenium to automate interactions with websites. It works with all major browsers and supports the inspection of page elements you are trying to do (using XPath). It also features a Firefox plugin called Selenium IDE that allows you to conveniently "record" your interactions with a website for automated playback later.