[thelist] Cross-site scripting

Richard Bennett richard.bennett at skynet.be
Thu Sep 20 15:11:42 CDT 2001

Two ways that I know of:

1) The project is an internal company site, like an intra-net, change the
files to .hta, run them from the client-machines (they need to be
downloaded) and add application="yes" to the iframe.

2) You can use PHP or ASP to grab the external page's content, and load the
PHP page in the IFrame. The PHP page is the same domain.


> However, a few of the pages for the site are farmed out of the clients
> content management system (rather stubbornly, since we could provide our
> and this runs on a different domain.  The IFRAME mentioned above is also
> and the document within comes off of the same server as before.  Hence the
> parent document is on a DIFFERENT domain to the one in the IFRAME.  Hence
> scripting used to communicate between the two docuents (for the refresh
and for
> other data exchange) isn't allowed by the web browser for security

More information about the thelist mailing list