iframeTagProxy ?

Printable View

17 Jul 2007, 3:50 AM
king7532

iframeTagProxy ?

Hey,

For my web app, I need the ability to get HTML pages from other servers. With Ext's built-in HttpProxy the HTML pages must be on the same domain where my web app is located. Obviously this will not work me, but using an iframe tag you can give it any URL and it will get that page.

Before I actually write any code, I was wondering if anyone else had the same problem and already wrote some code similar to what I would call an "iframeTagProxy" object?

If you would be interested in such an object post some of your requirements/needs so I can make this as useful as possible.

Benjamin
17 Jul 2007, 7:57 AM
galdaka

Scripttagproxy support cross domain request
17 Jul 2007, 7:18 PM
JeffHowden

You won't be able to read the src of an iframe that's got a document loaded from another domain. You'll run up against built-in browser domain security restrictions.
17 Jul 2007, 11:07 PM
DigitalSkyline

Right, in order to do this you would need to scrape the data using your server and a XMLHttpRequest or equivalent as a proxy.
18 Jul 2007, 3:10 AM
galdaka

ScripTagProxy: http://extjs.com/deploy/ext/docs/out...tTagProxy.html

Other discussions:

http://extjs.com/forum/showthread.ph...=scriptagproxy
18 Jul 2007, 11:32 AM
king7532

Subspace: Secure Cross-Domain Communication for Web Mashups

Check out this research paper presented at WWW 2007

http://www2007.org/papers/paper801.pdf

This paper shows the technique of nested iframes, to enable secure cross-domain communication. The technique relies on document.domain, and offers details on iframe security in the various browsers.

I tried Googling for that javascript lirbary to no avail. I have emailed the authors and am waiting for a reply.

There is enough detailed information in the paper to code this library in javascript. If I don't hear back from the author's I might get started coding it myself because its a really awesome technique for secure cross-domain communication using iframes

Benjamin
18 Jul 2007, 2:43 PM
JeffHowden

There's nothing particularly special or groundbreaking about the multi-iframe technique detailed in that paper. It still relies on all parties properly setting the document.domain to the same domain value. This simply isn't doable without nearly having source control of both ends of the transaction.

The only reason for the multi-iframe approach is to keep the untrusted page from accessing things at the top-level that it shouldn't have access to. However, as both parties have to set the same document.domain setting, how untrusted is the other party really?

For truly untrusted sites where you can't set document.domain, you're stuck with on solution.