Call to parent-frame script causes “Permission Denied”

I have a frameset page that has two frames from different domains, and tried to call(from one frame) javascript function on parent page to change URL on other  frame , but received
Permission Denied
The similar problem  described in Cross-frame scripting, works in FF but not IE” discussion.

  
I made sure the “Navigate subframes across different domains” was enabled for all my zones
 
The scenario is of two different web servers. The parent frame (html
> page orginates from server 1) has script like
> alert(‘parent invoked’);
> Inside child frame (html orginates from server 2) the html refers to
> parent script like
> parent.x1();
If you somehow manage to get this to work, please report it to browser
developers so they could patch it because it would be a security hole.
Essentially, you’re attempting to perform cross-site scripting, basics
of cross-site scripting attack, one of more dangerous ones.
If both pages come from the same parent domain, and both of them set he property document.domain to the same parent domain, scripts running in either frame will be allowed to talk to each other. For example, say the page http://www.example.com/ loads the page http://ajax.example.com/ in an iframe. Since both pages are in the domain example.com, if both set document.domain to “example.com” they will be be given the ability to programatically access each other’s data.
Finally I carefully read MSDN About Cross-Frame Scripting and Security article and understood, that you can SET window.location.href /document.location.href  in the DHTML, but you can’t call JS function from other Frame, even if it does the same window.location.href  assignment.
.
 

Advertisements

SQL Server Reporting Services Notes

I am doing some work with “SQL Server Reporting Services” at the moment. So I am updating this post with different links, which makes the post quite messy.

“Report Parameters” are not visible in XML code view .It seems that they are stored in database, but not in XML definition.

See also Reporting Services Report Parameters

CountRows Function  –Returns a count of rows within the specified scope-the dataset, grouping, or data region.

The “Every Other Page Is Blank” Feature -reduce size of Body to fit into page with margins.

How to add  JavaScript funstions to your report?

The article Reporting Services – Add a logo to the Report Manager  consider to use DHTML Behaviors(IE specific) or edit the ReportingServices.js file.

Related article: Embedded Code In Reporting Services 

 

How to specify links targets:

SQL Server Reporting Services – IFRAME Target Links suggest to adding a parameter to the QueryString of rc:LinkTarget which has the value of your frameset name. But rc:LinkTarget is applicable for all links in the report,
How can I create some links in the same report with target=_self, and some with target=”_blank”? 
You can use javascript in the Jump to URL option of the Action property, so
you can include something like this:

= “javascript:void(window.open(‘” & Fields!url.Value & “‘,’_blank’))”

A few OTHER links that could be useful:

SSW Microsoft SQL Reporting Services Suggestions and Rules To Better SQL Reporting Services

Make your MS Reporting Services 2005 reports sizzle!
Writing Custom Code in SQL Server Reporting Services

Jazz Up Your Data Using Custom Report Items In SQL Server Reporting Services

Disabling the SQL Reporting Services cache   

Code Render Blocks does not work inside HEAD server controls

I had a ASP.NET page with HEAD as server control similar to the following:

      <HEAD runat = “server”>
            <%this.RenderHeadItems();%>
            <link rel=”stylesheet” type=”text/css” href=”WebjetStyles.css?v=<%=AssemblyVersionNumber()%>“>
      </HEAD>
The first server function was called and executed successfully, but the second Code Render Blocks located inside a parameter of link element, wasn’t considered as server code and literally was copied to client HTML as &lt;%=AssemblyVersionNumber()%&gt;
Only when I removed runat = “server” attribute in HEAD element, the second Code Render Block was executed and rendered to HTML correctly.
I haven’t find any documented limitations regarding Embedded Code Render Blocks in MSDN
However other people noticed similar problems with HEAD runat = “server”.
And in some scenarios you have to use HEAD runat = “server”.

I am calling AssemblyVersionNumber() to ensure that browser will load the latest version of CSS file.


Previously I posted about other  unexpected behaviour of controls with runat = “server”:
asp:PlaceHolder can be put within html table, if it is not runat=”server”
See my post Insert CSS link with updatable version number in URL how I resolved the issue.