Jim,

This is done for security reasons. Imagine someone creating his own
scripting to access Javascript methods which return sensitive
information (bankaccount).

There are some things one can do, like P3P tags, but essentially it
comes down to someone modifying the cross domain scripting settings in
the browser.

For IE, this is down by a checkbox, and for FireFox you need to
uncomment some lines and invoke the PrivilegeManager to enable
UniversalBrowserRead.

if (typeof netscape != 'undefined' && typeof netscape.security !=
'undefined'){
        
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead
');
        }

Sometimes it can be a pain in the ass, but I am glad the security is
there. 

Micha Schopman
Project Manager

Modern Media, Databankweg 12 M, 3821 AL  Amersfoort
Tel 033-4535377, Fax 033-4535388
KvK Amersfoort 39081679, Rabo 39.48.05.380

------------------------------------------------------------------------
------------------------------------------------------------------------
-----
Modern Media, Making You Interact Smarter. Onze oplossingen verbeteren
de interactie met uw doelgroep. 
Wilt u meer omzet, lagere kosten of een beter service niveau? Voor meer
informatie zie www.modernmedia.nl 
------------------------------------------------------------------------
------------------------------------------------------------------------
-----

-----Original Message-----
From: Jim Davis [mailto:[EMAIL PROTECTED] 
Sent: dinsdag 24 mei 2005 3:19
To: CF-Talk
Subject: RE: (OT) Object tag - text/html in IE Cross Domain

> -----Original Message-----
> From: James Holmes [mailto:[EMAIL PROTECTED]
> Sent: Monday, May 23, 2005 9:25 PM
> To: CF-Talk
> Subject: RE: (OT) Object tag - text/html in IE Cross Domain
> 
> ROFL.
> 
> It's similar to an iframe in the way it works (and that's how I ended
up
> doing it) but there is one small difference - an iframe's navigation
is
> self-contained (i.e. links open inside the iframe) whereas the object
> tag's links (by default) target the browser containing the tag like
any
> other. This difference may be more of a security hassle, I guess.
> Luckily in this instance the code I included had no links so the end
> result was anlomst identical using the iframe.

The only reason I'm being such a prick about this is that I've been
through
it.

Our company was bought out and we wanted to combine our websites -
content
from both servers in the same frame.  But we had all sorts of cross-site
scripting issues.

I spent some time and figured out an inelegant, but perfectly usable
system
for passing information across sites using the status bar.  This was
because
it turned out that browsers from different domains could still both read
and
write to the status bar (at the time it worked in everything but IE 5.5
-
although oddly it did work in IE 6).

The code essentially created asynchronous messaging queues between two
sites
- it was actually pretty slick.  (I've still got it if anybody wants to
take
a look.)  It allowed scripts from different domains to share text data.

(As an aside I still think that's something that should be allowed via
some
specialized code.  There should be some standardized location -
something
like a "public" object which is accessible to all scripts in the
instance -
that way different sites that choose to share data would have the
ability
too, but the default behavior would be safe.)

I made the mistake of posting a question about how to fix the IE 5.5
issue
to a public forum which started a whole tirade about cross-site browser
security.  Several people sent messages to the various vendors - now my
code
doesn't work in any of the new browsers.

Because of that I'm just overly wary of taking advantage of anything
that
even has shades of that.  I just don't want to get used to something
only to
have the capability disabled just when I've gotten used to relying on
it.
;^)

Jim Davis






~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:207510
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Reply via email to