如何在“不安全的 JavaScript 尝试使用 URL 访问框架”之前测试浏览器的权限（Chrome 本地框架）？

发布于 2024-12-19 04:41:13 字数 963 浏览 2 评论 0原文

当 HTML 父窗口和 iFrame 内容位于同一 Web 服务器上时，它们会相互了解并自由通信。当它们保存到 DVD 时，当 iFrame 尝试作为本地文件联系 top 时，Chrome 会抛出“不安全的 JavaScript 尝试使用 URL 访问框架”。

下面的捕获捕获了权限错误，但该错误仍然由浏览器注册并对用户可见。

在尝试访问之前是否可以先测试是否允许此访问以排除不安全的 JavaScript 错误？

           // Called from script in an iframe
           function findSiblingIFrame(sibId) {
                 try {
                       var sibFrame = top.document.getElementById(sibId);
                       if (sibFrame != null) {
                           alert("found sibling iframe");
                       } else {
                           alert("did not find sibling iframe");
                       }
                   }
                   catch (err) {
                      alert("not allowed to find sibling iframe");
                      // Would rather test if permission first to prevent
                      // browser from registering the error.
                   }
           }

原文

The HTML parent window and iFrame content know about each other and communicate freely when they live on the same web server. When they are saved to DVD, Chrome throws an "Unsafe JavaScript attempt to access frame with URL" when iFrame tries to contact top as a local file.

The catch below catches the permission error, but the error is still registered by the browser and visible to the user.

Is it possible to test first if this access is allowed before attempting to access to preclude the unsafe JavaScript error?

           // Called from script in an iframe
           function findSiblingIFrame(sibId) {
                 try {
                       var sibFrame = top.document.getElementById(sibId);
                       if (sibFrame != null) {
                           alert("found sibling iframe");
                       } else {
                           alert("did not find sibling iframe");
                       }
                   }
                   catch (err) {
                      alert("not allowed to find sibling iframe");
                      // Would rather test if permission first to prevent
                      // browser from registering the error.
                   }
           }

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

只想待在家 2024-12-26 04:41:13

只需检查 window.location.protocol，然后无论它是在网络服务器 (http:) 上运行还是在本地 ( 文件：）。

您应该注意，不同的浏览器对这些事情有不同的权限，因此您也应该检查用户的浏览器。

回复收藏 0 原文

抚你发端 2024-12-26 04:41:13

我最终使用 HTML5 消息传递在 iframe 层次结构中上下传递潜在的沙箱请求。

例如，嵌套 iframe 层次结构中的每个 html 页面都可以访问以下 javascript。如果捕获到的 HTML5 消息请求无法在本地执行，则该消息将向上传递给父级。父级还可以将消息传递到 iframe。这只有效，因为所有页面都可以访问相同的 javascript 文件。

// function to handle message request
function messageHandler(argJSON) {
    // A collection of available functions for inbound messages
    var msgFunctionMap = new Object();
    msgFunctionMap.removeBorder = removeBorder;
    msgFunctionMap.restoreBorder = restoreBorder;
    // ...more
    // try execute request
    try {
        var jsonObj = JSON.parse(argJSON.data);
        msgFunctionMap[jsonObj.request](jsonObj.args);
    }
    catch (err) {
        alert(" Request not supported: " + argJSON.data);
    }
};
// example function to remove object id x's border if it exists in "this" window, else pass request up
var removeBorder = function (jsonMsg, argObj) {
    var xiFrame = document.getElementById("x");
    if (xiFrame != null) {
        xiOrigWidth = xiFrame.style.borderWidth;
        xiFrame.style.borderWidth = '0px';
    }
    // Otherwise, pass message up else if (window.parent && window.parent.postMessage) {
        window.parent.postMessage(jsonMsg.data, "*");
    }
};
//... more
// pass predefined message request from child to parent
function messageUpHandler(message) {
    if (window.parent && window.parent.postMessage) {
        window.parent.postMessage(message.data, "*");
    }
};
// Listener for child messages
if (window.addEventListener) {
    window.addEventListener("message", messageUpHandler, true);
}

I ended up using HTML5 messaging to pass potential sandboxed requests up and down the iframe hierarchy.

For example, each html page in a nested iframe hierarchy has access to the following javascript. If the caught HTML5 message request cannot be executed locally, the message is passed up to the parent. The parent can also pass messages down to iframes. This only works because all the pages have access to the same javascript file.

// function to handle message request
function messageHandler(argJSON) {
    // A collection of available functions for inbound messages
    var msgFunctionMap = new Object();
    msgFunctionMap.removeBorder = removeBorder;
    msgFunctionMap.restoreBorder = restoreBorder;
    // ...more
    // try execute request
    try {
        var jsonObj = JSON.parse(argJSON.data);
        msgFunctionMap[jsonObj.request](jsonObj.args);
    }
    catch (err) {
        alert(" Request not supported: " + argJSON.data);
    }
};
// example function to remove object id x's border if it exists in "this" window, else pass request up
var removeBorder = function (jsonMsg, argObj) {
    var xiFrame = document.getElementById("x");
    if (xiFrame != null) {
        xiOrigWidth = xiFrame.style.borderWidth;
        xiFrame.style.borderWidth = '0px';
    }
    // Otherwise, pass message up else if (window.parent && window.parent.postMessage) {
        window.parent.postMessage(jsonMsg.data, "*");
    }
};
//... more
// pass predefined message request from child to parent
function messageUpHandler(message) {
    if (window.parent && window.parent.postMessage) {
        window.parent.postMessage(message.data, "*");
    }
};
// Listener for child messages
if (window.addEventListener) {
    window.addEventListener("message", messageUpHandler, true);
}

回复收藏 0 原文

~没有更多了~