Databases
StackOverflow2013
Postsdbo
POGetting around the XSS filter in web browser control
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POGetting around the XSS filter in web browser control
    primarykey
    data
    text
    <p>I am working on a pet project and need to overcome a major hurdle in an application. I have checked countless forums and articles and have only found bits and pieces of what I am looking for, so I hope a more direct approach will help me.</p> <p>Here's the scenario: 1. The site is actually a game, which uses Javascript/JSON with DHTML on a page that has several IFRAMES - two of which are deeper inside the outside page AND of a separate domain.</p> <ol> <li><p>There are NO security issues with what I am trying to do. All programming and access is limited to merely simplifying and automating normally access functions only. All authentication and private information is done prior to any access, and only the session information will ever be used, and only to facilitate game operations that the user knows will happen.</p></li> <li><p>The idea is to use the webbrowser control to access the game and provide ordinary access, while the app hosting the browser gets the game session information and makes separate automated calls to the game servers. This has already been done via Firefox using Greasemonkey scripting, and it works well - except that Firefox has a horrible memory leak that eventually causes the whole operation to break down.</p></li> </ol> <p>The problem I am running into is obvious. I am trying to access the iframe that is technically on a different domain, and the web browser DOM model won't let me in. I have seen enough articles to know there are several workarounds to XSS filter blocks but they are quite vague and vary depending on scenario.</p> <p>So, I will outline exactly what I need in hopes that I can obtain an amicable solution...</p> <ol> <li><p>I need to obtain the DOM of a nested IFRAME of a different domain. If need be I could live with just the source, but the DOM and the JS vars would be the most ideal. My strategy here is to use the session information and make HttpWebRequest calls parallel to the web browser in-game. That way I can automate some functions while still playing. It can be done - if I can get the session information and pass it the same way. It will all be done on the same client with the users permission and knowledge, so no security issues.</p></li> <li><p>I would really like it if I could pass information BACK to that IFRAME. One of the major things this project is trying to do is make some visual changes to simplify the look and feel of the interface. It is all in HTML, so changes would simply be adding some in-line styling of JS code...</p></li> </ol> <p>So anyways, what ideas and suggestions would work best? At this point I am open to all scenarios, but ideally something as simple as possible to get what I need. This is already a huge project :).</p> <p>Thanks in advance!</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USMichael
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. COYou could perhaps build a server side proxy with a few lines of C# code that gets the content for the iframes on the different domain(s) and host that on your primary domain. That way as far as the browser is concerned all frames originate from the same domain, so no security issues. I think you are fighting a losing battle trying to avoid browser security features (same origin policy) otherwise I am afraid.
      singulars
      1. POGetting around the XSS filter in web browser control
      1. USgeedubb
    2. COI am REALLY hoping to avoid adding another step in this circus, but if you have a decent proxy article that allows me to manipulate data both ways I may be able to work with it... Also, said proxy would have to be able to read https as well...
      singulars
      1. POGetting around the XSS filter in web browser control
      1. USMichael
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload