Page 1 of 1
src != location.href for frames
Posted: Wed Jun 02, 2010 1:49 am
by dhouwn
A weird script using old-school DOM access to check for "frame manipulations" does not let me log-in when I have frame blocking on all sites activated.
BTW: Frame placeholders do not resize.
Re: src != location.href for frames
Posted: Wed Jun 02, 2010 6:33 pm
by dhouwn
To illustrate the problem:
Code: Select all
<!DOCTYPE html>
<html>
<head>
<script>
window.setTimeout(function() {
alert(document.getElementById('frame').src);
alert(frame.location.href);
}, 2000);
</script>
</head>
<frameset>
<frame src="http://www.example.org/" name="frame" id="frame">
</frameset>
</html>
Re: src != location.href for frames
Posted: Wed Jun 02, 2010 6:40 pm
by Giorgio Maone
Are you actually outlining a NoScript bug and/or proposing a solution/work-around other than enabling frames for that site (or using a script surrogate to neutralize the script)?
Re: src != location.href for frames
Posted: Wed Jun 02, 2010 7:26 pm
by dhouwn
I am proposing that NoScript should spoof "location.href" just like it apprently spoofs the "src" property for frame element placeholders.
Re: src != location.href for frames
Posted: Wed Jun 02, 2010 8:57 pm
by Giorgio Maone
Unfortunately this is far from trivial, because it would require attaching expando properties to each placeholder, and therefore should be done injecting a content-level script which "knows" about placeholders (i.e. performance hit and added complexity).
Re: src != location.href for frames
Posted: Thu Jun 03, 2010 2:10 am
by dhouwn
I can simply override those properties which only become visible when you use DOM Access 0?
Well, I guess it would be simpler for me to simply override the checking function (all inline scripts BTW) on DOMContentLoaded…