Remove From My Forums

Possible to break cross domain iframe security in WinJS?

Question
0

Sign in to vote

If I have this code:

var iframe = document.createElement('iframe');
document.body.appendChild(iframe);
iframe.addEventListener('error', function () {
debugger;
});
iframe.addEventListener('load', function () {
debugger;
});
iframe.src = "http://i.w.inmobi.com/showad.asm?mk-siteid=xxxxxxxxxxxxx&mk-ad-slot=10&mk-ads=1&mk-version=pr-JSWP-CTATA-20121219&format=html&__t=1369195019161-hHgeUF";

The iframe gets a 400 or 404 and I get the load event instead of the error event.
In the normal web I can't get the error event since it is cross domain.

However since I am a app I thought I would be able to somehow get the error since Visual Studio knows how to show it:

APPHOST9613: The app couldn’t navigate to http://i.w.inmobi.com/showad.asm?mk-siteid=xxxxxxxxxxxxx&mk-ad-slot=10&mk-ads=1&mk-version=pr-JSWP-CTATA-20121219&format=html&__t=1369195019161-hHgeUF because of this error: 400.

Is this possible?

Wednesday, May 22, 2013 4:02 AM

Answers

1

Sign in to vote
Hi,

thank for posting!

A Windows Store app using JavaScript contains at least one HTML page. That page, and any other pages you include in the app itself, generally run in the app's local context. When you use an iframe to navigate to a remote page, that page runs in the web context and has limited access to your system.

You can use the ApplicationContentUriRules section of the app's package manifest to give a page in the web context access to your system's geolocation devices (if your app has permission to access this functionality), as well as access to the clipboard.

You can see this link:

http://msdn.microsoft.com/en-us/library/windows/apps/hh465373.aspx

http://msdn.microsoft.com/en-us/library/windows/apps/br211416.aspx

Cross Domain:

http://msdn.microsoft.com/en-us/library/windows/apps/br229787.aspx

Hope this helps!
- Marked as answer by Will ShaoMicrosoft employee, Moderator Monday, June 3, 2013 5:36 AM
Wednesday, May 29, 2013 8:27 AM