HTML advice needed, please. iframes and sandboxing.

Discussion in 'General Software' started by TonyR, Jun 12, 2019.

  1. TonyR

    TonyR Member

    Joined:
    Jun 29, 2001
    Messages:
    680
    Location:
    NSW South Coast
    I have an HTML file hosted on my web site which contains a lot of JavaScript, but no iframes. The URL is https://www.gillandtony.com/Geocaching/stats1.html

    When I load the file directly from the web site it all works perfectly. If you click on the link, you will see that the buttons at the top (Home, Special. DNFs, etc) all work. However, the most common way to access this is from a link on another web site. This link is inside a sandboxed iframe and when I click the link, none of the JavaScript works. Someone has analysed why the JS doesn't work and they reported that the console gave over 100 messages:

    Blocked script execution in 'https://www.gillandtony.com/Geocaching/stats1.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

    As I said, I don't have any iframes in my html, so why this happens is beyond me. My only idea is that somehow the restriction carries over from one side of the link to the other.

    Unfortunately you won't be able to experience the problem yourself unless you are a geocacher and have a membership at geocaching.com. If you are, then go to my profile page
    https://www.geocaching.com/p/default.aspx?u=Gill & Tony and then click on the link near the bottom. If you are really keen to see it for yourself, you can sign up at geocaching.com. Basic membership is free.

    Other people have tested and it seems to fail every time on Windows using IE, Firefox or Chrome, on Android using Chrome or Internet and on MacOS using Chrome. MacOS using Safari doesn't appear to have the same problem.

    One other thing, the problem does not occur if I shift-click the link so the page opens in a new window. It is only in the same window but different tab that gets the problem.

    Anybody have any ideas how I can fix this?

    Thanks

    Tony
     
  2. mr camouflage

    mr camouflage Member

    Joined:
    May 25, 2012
    Messages:
    770
  3. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    937
    Location:
    BRISBANE
    Seems to be working for me mate, you might need to contact geocaching.com and ask if they know what's going on
     
  4. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    937
    Location:
    BRISBANE
    His page is being embedded by geocaching.com, so not a lot he can do apart from asking them
     
  5. OP
    OP
    TonyR

    TonyR Member

    Joined:
    Jun 29, 2001
    Messages:
    680
    Location:
    NSW South Coast
    Does this mean that I have to add an iframe to my code? How does that work? The actual page is created by a separate program. I just feed it my details and it creates the HTML on the fly.

    Maybe I could create a dummy page which just has a iframe saying allow everything and then have an automatic redirection to the real page. So my profile would point at the dummy page and the dummy page would redirect to the real page.

    I have contacted groundspeak (the company which operates geocaching.com) and have not yet had a reply.

    I'll await developments
     
  6. mr camouflage

    mr camouflage Member

    Joined:
    May 25, 2012
    Messages:
    770
    No. I thought you were trying to include a page from geocaching.com on your website, but it appears you are doing the opposite.

    I dont know what the geocaching page looks like, not a member, but I'd guess it is including your page in an iframe.

    Maybe you could try putting some frame busting code on your page so that it breaks out of the frame and loads your page.

    eg at the top of your generated page after <head> something like

    <script>
    /* break us out of any containing iframes */
    if (top != self) { top.location.replace(self.location.href); }
    </script>
     
  7. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    937
    Location:
    BRISBANE
    Depending on geocachings CSP, any inline scripts may not execute
     
  8. OP
    OP
    TonyR

    TonyR Member

    Joined:
    Jun 29, 2001
    Messages:
    680
    Location:
    NSW South Coast
    Geocaching.com doesn't include my page in an iframe, the iframe includes the link to my page. The code contained in the iframe is
    When I click that link, the page opens in a new tab and that tab doesn't allow JavaScript. Any other method of accessing my stats page allows JS.
     

Share This Page

Advertisement: