IE, iframe, cross domain, sessions

[roopurt18]

I'm trying to allow our clients to embed my site into their own home pages via an iframe.  I thought the only problem I'd encounter was using Javascript to resize the iframe to be the same height as the content.  Once I had that working though, I found a peculiar problem with IE 6 & 7.

 

I have this sample page set up:

http://www.rbredlau.com/test/ponderosa.html

 

The login page is the iframe pointing at a different host.  When I log in with FF, I have no problems.  Everything works as expected.  When I log in with IE, the page redirects to the correct login page but for some reason $_SESSION["LoggedIn"] loses it's value and I receive a site-generated message: "You do not have permission to view this page."

 

For the life of me I can't figure this one out.

 

Username: admin

Password: admin

 

The page within the iframe can be accessed at:

http://ns2271.serverpowered.net/wv/demo

 

[clanstyles]

Hate to say this but, yet again, I am not having this problem with IE

 

I am using 6 right now works 100% fine.

[roopurt18]

I just had a friend try it with IE7 and he also got in just fine.  I went into my IE settings and changed some security stuff and it's working for me now also.  I don't know which setting it was yet, but it's partway solved.

[clanstyles]

What else is wrong?

[roopurt18]

Well, users shouldn't have to change their security settings for it to work.  The idea is to make this easy on the users, not more difficult.

 

Well it appears that since the cookie is coming from an iframe and a different domain, IE treats it as a third party cookie and rejects it depending on the security settings.

 

So I found this link which explains how to correctly set up data privacy information on your site, which I think will stop IE from blocking the cookie.

 

http://www.w3.org/P3P/usep3p.html

[jonw118]

Hey there - I know this topic has been dead for a while - but roopurt18, hoping (BIG TIME!) you can help me.

 

I've been trying everything under the sun to do what it appears you have done.

 

I want to IFRAME in an EXTERNAL (Cross) domain and make the iframe resize to the page height. However, I keep running into a brick wall with everything I read - js not allowing cross-domains (creating permission errors).

 

I was about to give up - then I found your post. So it looks as if it is possible based on what you referenced.

 

I can't tell you how much I would appreciate ANY help (btw- I am able to fully edit code on both domains).

 

Thanks!

Jon

[roopurt18]

If you can control the code in both places then you might be in luck with an easy solution, found here:

http://jszen.blogspot.com/2005/03/cross-domain-security-woes.html

 

In my situation, I was only able to control the code in one of the locations, so the solution I had to come up with was a little more involved.

[jonw118]

Thanks for responding.

 

Fortunately I do have control over both places.

 

So, if I read the documentation correctly - I only have to drop that js in the <head> of both pages (the parent and the one being framed in)... and it will work?

 

I would think within the IFRAME tag it would need some sort of reference to that js, but maybe not... will have some testing ahead of me.

 

I will give that a shot. Would be beyond AWESOME if that works.

[roopurt18]

As far as I can tell that has to appear in all pages coming from all of the involved domains.  I have no idea what the repercussions would be if you had an iframe receiving JSON as its contents because you wouldn't to add tags to that output, if you know what I mean.

 

I remember reading about that solution in an O'Reilly book on JavaScript, but it wasn't applicable in my situation as I can't control all of the code.

 

If it doesn't work out for you I might be able to assist further.

[jonw118]

Well... I was hoping that would do the trick... not so much!

 

My code looks like this (obviously just testing with this code):

 

For the parent frame:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<script type="text/javascript"> document.domain="SERVER_NAME.com"; </script>
<script language="JavaScript">
<!--
function calcHeight()
{
  //find the height of the internal page
  var the_height=
    document.getElementById('the_iframe').contentWindow.
      document.body.scrollHeight;

  //change the height of the iframe
  document.getElementById('the_iframe').height=
      the_height;
}
//-->
</script>
</head>
<body>
<iframe width="700" id="the_iframe" 
onLoad="calcHeight();" 
src="http://URL.com" 
scrolling="NO" 
frameborder="1" 
height="1">
</iframe> 
</body>
</html>

 

For the page iframed in:

<HTML>
<HEAD>
<script type="text/javascript">
  document.domain="SERVER_NAME.com";
</script>
</HEAD>
<BODY>
test 123
</BODY>
</HTML>

 

Any ideas would MUCH appreciated! Thanks...

[jonw118]

I literally didn't sleep last night playing around so much on this trying to get it work - and I think I've reached the end of the Internet searching for solutions.

 

Guess it's time to concede to the fact it isn't possible (at least to my knowledge).

 

If anyone has any thoughts I'd certainly be more than open to hearing them! Not having the capability to do this puts a major bump in my project.