表单提交目标的父事件处理程序 = _parent 浏览器兼容性

发布于 2024-10-03 14:20:13 字数 2362 浏览 1 评论 0原文

提交表单时,我无法捕获事件。

我正在处理一个我无法控制的第三方 iframe,当用户单击那里的提交按钮时,它会调用一个 javascript 函数,该函数在 javascript 中执行 form.submit() 操作:

target="_parent". 

此第三方 iframe 也在内部嵌套的 iframe。

由于这包含 html javascript 和不同的文档,因此我尝试尽我所能地表示它:

pseudocode:

[page mydomain.com/main]
    [iframe mydomain.com/inner-frame]
        <script type="text/javascript">
            window.onbeforeunload = function(){
                alert('trying to submit');
            }
        </script>

        [iframe third-party-iframe.com]
            <form action="mydomain.com/form-action" target="_parent" method="POST">
                <input type="submit" />
            </form>
        [/ third party iframe]
    [/iframe]
[page]

问题是表单提交事件似乎没有在父文档中一致地捕获。

我需要知道这一点,以便在提交表格后我可以做一些事情。

在 Firefox 中, onbeforeunload 事件会触发,但在 chrome 中不会,并且在触发任何事件之前似乎会出现“不安全的 JavaScript 尝试访问框架”错误。

同样奇怪的是,表单提交不会提交到 iframe 的父级,它只是使用该 url 打开一个新选项卡(在我的示例中为 form-action.php)。

谁能解释一下这种行为是什么?我什至不确定这种行为(没有事件触发,新的浏览器选项卡)是否是 javascript、iframe 或浏览器的功能。

另外,当您提交 _parent 时,要侦听的正确事件是什么?以及去哪里听?我假设 _parent 指的是框架的直接父级。

=====================================

更新:

我错误地陈述了问题,但我明白了为什么它不起作用:

事实上,代码看起来更像是这样:

pseudocode:
[page third-party-site.com]
  [page mydomain.com/main]
     [iframe mydomain.com/inner-frame]
        <script type="text/javascript">
            window.onbeforeunload = function(){
                alert('trying to submit');
            }
        </script>

        [iframe third-party-site.com/iframe]
            <form action="mydomain.com/form-action" target="_parent" method="POST">
                <input type="submit" />
            </form>
        [/ third party iframe]
      [/iframe]
  [page]
[/page]

出于调试原因,我正在查看第一个 iframe 之外的页面,所以我假设 Third-part-site.com 上的表单试图重定向 mydomain.com 内的某些内容,并且浏览器阻止此子第三方 iframe 重定向父级。

当我将 mydomain.com 放回到它自己的 iframe 中(它将在生产代码中)时,浏览器不再阻止此重定向 - 看来这导致了我的跨域问题,因为当我尝试时代码不起作用设置包含 mydomain.com 的 localhost iframe。浏览器看起来希望顶级父域与内部-内部-内部 iframe 域相同。

这表明 _parent 表单属性不是指上下文父级,而是指顶级父级? (虽然事件捕获发生在该 iframe 的直接父级中......)也许它总是会一直冒泡?

顺便说一句,如果有人想知道,这是一个 Facebook 应用程序,它是一个画布页面,其中包含一个 iframe,其中有一个多好友请求选择器。

I am having trouble capturing an event when a form submits.

I am dealing with a third party iframe over which I have no control, and when the user clicks a submit button there, it calls a javascript function that does a form.submit() in javascript with:

target="_parent". 

This third-party iframe is also inside a nested iframe.

Since this encompassed html javascript and different documents, I tried to represent it as best I could:

pseudocode:

[page mydomain.com/main]
    [iframe mydomain.com/inner-frame]
        <script type="text/javascript">
            window.onbeforeunload = function(){
                alert('trying to submit');
            }
        </script>

        [iframe third-party-iframe.com]
            <form action="mydomain.com/form-action" target="_parent" method="POST">
                <input type="submit" />
            </form>
        [/ third party iframe]
    [/iframe]
[page]

The problem is that it seems like the form submit event isn't captured consistently in the parent document.

I need to know this so I can do something after the form is submitted.

In firefox, the onbeforeunload event fires, but in chrome it doesn't and it seems to error out with an "Unsafe JavaScript attempt to access frame" before any events are fired.

Also strange is the fact that the form submit doesn't submit to the parent of the iframe, it just opens a new tab with that url (form-action.php in my example).

Can anyone shed some light on what this behavior is? I'm not even sure if this behavior (no events fired, new browser tab) is a function of the javascript, the iframes, or of the browser.

Also, what is the correct event to listen for when you have a _parent submit? And where to listen? I am assuming that _parent refers to the direct parent of the frame.

===================================

UPDATE:

I mis-stated the problem, but I figured out why it wasn't working:

In fact the code looks more like this:

pseudocode:
[page third-party-site.com]
  [page mydomain.com/main]
     [iframe mydomain.com/inner-frame]
        <script type="text/javascript">
            window.onbeforeunload = function(){
                alert('trying to submit');
            }
        </script>

        [iframe third-party-site.com/iframe]
            <form action="mydomain.com/form-action" target="_parent" method="POST">
                <input type="submit" />
            </form>
        [/ third party iframe]
      [/iframe]
  [page]
[/page]

I was looking at the page outside the first iframe for debug reasons, so I am hypothesizing that the form at third-part-site.com was attempting to redirect something inside mydomain.com, and the browser was blocking this child third-party iframe from re-directing the parent.

When I put mydomain.com back in it's own iframe where it will be in production code, the browser no longer blocks this redirect- it appears that this is caused my a cross-domain issue, because the code doesn't work when I try to set a localhost iframe containing mydomain.com. The browser looks like it wants the top parent domain to be the same as the inner-inner-inner iframe domain.

This would suggest that the _parent form attribute doesn't refer to the contextual parent, it refers to the top parent? (although the event capture happens in that iframe's direct parent...) maybe it will always bublle all the way up?

btw, if anyone cares to know, this is a facebook app, it's a canvas page that contains an iframe that has a multi-friend request selector inside.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

溺孤伤于心 2024-10-10 14:20:13

我正在研究类似的问题,并发现了以下关于 Clickjacking 的文章,其中包含这个有趣的内容一些琐事:

但是,如果攻击者将
一帧中的受害者在另一帧中(
双帧),然后访问
Parent.location 成为证券
在所有流行的浏览器中都存在违规行为,因为
后代框架导航
政策
。此次安全违规
禁用反作用
导航。

后代框架导航策略”似乎对后代框架的功能设置了一些限制到父框架。

我知道这并不能回答问题,但也许它可以阐明这个问题。但也许不是。只是想分享。

I'm researching a similar problem and came across the following article on Clickjacking that contained this interesting bit of trivia:

However, if the attacker encloses the
victim in one frame inside another (a
double frame), then accessing
parent.location becomes a security
violation in all popular browsers, due
to the descendant frame navigation
policy
. This security violation
disables the counter-action
navigation.

The "descendant frame navigation policy" seems to place some limits on what descendant frames can do to parent frames.

I know that this does not answer the question, but perhaps it will shed light on the issue. But perhaps not. Just wanted to share.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文