src != location.href for frames

dhouwn · Post by **dhouwn** » Wed Jun 02, 2010 1:49 am

A weird script using old-school DOM access to check for "frame manipulations" does not let me log-in when I have frame blocking on all sites activated.

BTW: Frame placeholders do not resize.

dhouwn · Post by **dhouwn** » Wed Jun 02, 2010 6:33 pm

To illustrate the problem:

Code: Select all

<!DOCTYPE html>
<html>
  <head>
    <script>
      window.setTimeout(function() {
        alert(document.getElementById('frame').src);
        alert(frame.location.href);
      }, 2000);
    </script>
  </head>
  <frameset>
    <frame src="http://www.example.org/" name="frame" id="frame">
  </frameset>
</html>

Post by **Giorgio Maone** » Wed Jun 02, 2010 6:40 pm

Are you actually outlining a NoScript bug and/or proposing a solution/work-around other than enabling frames for that site (or using a script surrogate to neutralize the script)?

dhouwn · Post by **dhouwn** » Wed Jun 02, 2010 7:26 pm

I am proposing that NoScript should spoof "location.href" just like it apprently spoofs the "src" property for frame element placeholders.

Post by **Giorgio Maone** » Wed Jun 02, 2010 8:57 pm

Unfortunately this is far from trivial, because it would require attaching expando properties to each placeholder, and therefore should be done injecting a content-level script which "knows" about placeholders (i.e. performance hit and added complexity).

dhouwn · Post by **dhouwn** » Thu Jun 03, 2010 2:10 am

I can simply override those properties which only become visible when you use DOM Access 0?
Well, I guess it would be simpler for me to simply override the checking function (all inline scripts BTW) on DOMContentLoaded…

InformAction Forums

src != location.href for frames

src != location.href for frames

Re: src != location.href for frames

Re: src != location.href for frames

Re: src != location.href for frames

Re: src != location.href for frames

Re: src != location.href for frames