Java Reference
In-Depth Information
Security
Browsers put certain restrictions on what information scripts can access between frames and windows.
If all the pages in these frames and windows are served from the same server, or on the same computer
when you're loading them into the browser locally, as you are in these examples, you have a reasonably
free rein over what your scripts can access and do. However, some restrictions do exist. For example,
if you try to use the
window.close()
method in a script page loaded into a browser window that the
user opened, as opposed to a window opened by your script, a message box will appear giving the user
the option of canceling your
close()
method and keeping the window open.
When a page in one window or frame hosted on one server tries to access the properties of a window
or frame that contains a page from a different server, the same-origin policy comes into play, and you'll
fi nd yourself very restricted as to what your scripts can do.
Imagine you have a page hosted on a web server whose URL is
http://www.myserver.com
. Inside the
page is the following script:
var myWindow =
window.open(“http://www.anotherserver.com/anotherpage.htm”,”myWindow”);
Now you have two windows, one that is hosted at
www.myserver.com
and another that is hosted on a
different server,
www.anotherserver.com
. Although this code does work, the same-origin policy pre-
vents any access to the
document
object of one page from another. For example, the following code in
the opener page will cause a security problem and will be prevented by the browser:
var myVariable = myWindow.document.form1.text1.value;
Although you do have access to the
window
object of the page on the other server, you have access to a
limited subset of its properties and methods.
The same-origin restriction applies to frames (conventional and iframes) and windows equally. The idea
behind it is very sound: It is there to prevent hackers from putting your pages inside their own and extract-
ing information by using code inside their pages. However, the restrictions are fairly severe, perhaps too
severe, and mean that you should avoid scripting across frames or windows if the pages are hosted on
different servers.
Summary
For various reasons, having a frame-based web site can prove very useful. Therefore, you need to be able
to create JavaScript that can interact with frames and with the documents and code within those frames.
❑
You saw that an advantage of frames is that, by putting all of your general functions in a single
frame, you can create a JavaScript code module that all of your web site can use.
❑
You saw that the key to coding with frames is getting a reference to the
window objects of
other frames. You saw two ways of accessing frames higher in the hierarchy, using the window
object's parent property and its top property.
