Executing javascript from within an iframe

Question

I have:

1. A web server (server 1)
2. An application server running some beast of a legacy web app (server 2)
3. An iframe on server 1 pulling in the application from server 2

My problem is:

The legacy app uses JS validation on its forms. When a user attempts to submit an incomplete form, an alert pops up to notify the user that they are a dummy. Of course, this fails when the app is run inside of an iframe because server 1 and server 2 live at different domains.

I tried setting the following proxy directives on server 1:

ProxyPass /legacy_app http://server2.url/legacy_app
ProxyPassReverse /legacy_app http://server2.url/legacy_app

I'm now able to serve the iframe from http://server1.url/legacy_app , but I'm still unable to execute javascript inside that iframe -- I get the same security/access errors as I did when the app was running on a different domain.

Is there something else I can try?

Answer 1

How is the legacy app checking if the boxes are filled in? Simple javascript? Ajax?

The alert box itself should still work. I'm thinking the code for determining if the alert should be issued might be what's broken.

Running the following code on my local apache server still gives me the alert onLoad even though the page is on a remote host:

<html>
    <body>
    <div>
        <iframe src="http://www.crowderassoc.com/javascript/alertbox.html" width="300" height="200">
    </div>
    </body>
</html>

Try copying the above code to a page on server #1 and see if you get the alert box from that remote site in the iframe.

Answer 2

Have you tried hosting the script inside of a .js file hosted on server #1 but running out of the iframe (referenced out of server #2)?

I think a browser is okay with referencing an external site, but doesn't like it when it is referenced by an external site.

Haven't tried it myself, but I believe that's how I've heard of this sort of a problem being worked around. I know this is the method that Google Analytics uses - you have to request the .js file from Google's servers, but once it's there, it has access to the browser.

Answer 3

Joe, I think you are correct. A quick test with other servers shows that I can trigger alerts from remotely-hosted scripts quite easily.

The legacy server is the client's and we don't have easy access to it, but glancing at their JS it looks like they're doing some sort of cross-site/framing detection -- worth further investigation.

Answer 4

I've had this situation in the past where I was trying to build an app around a heavily scripted pre-existing app on a remote server, and the app would run fine if it was opened in its own window, but if I tried loading it into a frame, it would break.

What I ended up doing for this project was opening the local application in a pop-up with a width of 495px, loading the external app in the main (already existing) window, resizing the main external app window to the screen width minus 495px, and positioning the windows side by side on the screen. This gave the end user a similar effect to what I had been trying to do with frames, only it worked.

In case it helps, here is the code I used from my index.php file:

// Manipulating the current window
window.location.href = 'http://www.someExternalApp.com'; // setting the page location.
window.name = 'legacyapp'; // setting the window name just the for heck of it.
moveTo(0,0); // moving it to the top left.

// Resizing the current window to what I want.
mainWindowWidth = screen.width - 495;
mainWindowHeight = screen.height; // Makes the window equal to the height of the users screen.
resizeTo(mainWindowWidth,mainWindowHeight); 

// function for opening pop-up
function openWin(){
    win2 = window.open(page,'',winoptions);
    win2.focus();
}

// internal app location (for use in pop-up)
page = 'someLocalApp.php';

// internal app Window Options (for pop-up)
winoptions = 'width=490,height='+mainWindowHeight+',top=0,left='+mainWindowWidth+'leftscrollbars=1,scrolling=1,scrollbars=1,resizable=1,toolbar=0,location=0,menubar=0,status=0,directories=0';

// Opens the local app pop-up
openWin();