Solved

Iframe target opens new tab/window in Chrome; works in IE/FF

Posted on 2013-01-18
14
2,539 Views
Last Modified: 2013-01-21
To reproduce: put three attached files into a folder on the hard drive.
(Your path may differ)
1. type file:///C:/t/testTarget.html into one tab of chrome
2. type file:///C:/t/testTargetContainer.html into another tab
3. In the first tab, hit either of the two links: "Try this link/submit to an iframe"

Note that a new tab is opened.  This should NOT happen -- the content of the link should appear in the iframeTarget iframe in the testTargetContainer tab.  This works in IE8, Safari, and FF17 (although FF17 gives an error on the submit, a known issue). There is no cross-domain iframe loading going on here.

Our product implements a multi-subwindow page that should be receiving these link targets, to implement a drilldown, but it fails on chrome, making chrome look bad to our customers who would otherwise like to use chrome.

I think this is a standard violation. Is there any workaround?
testTarget.html
testTargetContainer.html
CompanyLogo.gif
0
Comment
Question by:RogueCar
  • 8
  • 6
14 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Chrome does a number of odd things when you are operating from files "file://" and not thru a webserver "http://".  Note the 'standards' are written for the web "http://" and not for "file://" access.  Try

Here is a long page about browser security restrictions including operating with local files.
http://code.google.com/p/browsersec/wiki/Part2   The restrictions on local files are there to prevent outsiders from messing with your local files.

I downloaded your files and viewed them.  In Firefox, Chrome and Opera,  clicking on either of those links opens in a new tab in both a 'file://' access and in 'http://' access.  In IE8 and Safari, they open in new windows.  In no case do they open in an iframe.
0
 

Author Comment

by:RogueCar
Comment Utility
I think you did not test this correctly.
I used File/Open on FF17 and IE8 and safari and the LOGO shows up in the testTargetContainer window's iframe 100% of the time.

It is true (if absurd) that Chrome "protects" me from reading files on my own hard drive using the file:// protocol. However, the same behavior can be seen using http:// protocol for the same html.  I used files because they are somewhat easier to exemplify.

The point is that the standard says that the "target=name" should be respected, sending the html to the (window, tab, frame, iframe) with that name, and Chrome is failing to do that, in contrast to other browsers.  If you don't agree that this should be the behavior, then this is not a problem you can solve.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Maybe I didn't test it  correctly.  Are you saying that both files should be open at the same time?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I followed your directions and I see what you're talking about.  If I put the iframe in the same page as the links, it works in Chrome.  Just not when they are on different pages.
0
 

Author Comment

by:RogueCar
Comment Utility
Right. Now what our product wants to do is drill down from a hyperlink to an iframe that is already open in chrome.  The hyperlink is in a separate client program, like an email client or MS Word.
This appears not to be possible (in chrome) unless we can come up with a workaround.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Does the link to the iframe from a client program like Word work in any browser?  I can see it working from one window or tab in a browser to another one in the same browser.
0
 

Author Comment

by:RogueCar
Comment Utility
Yes. You can create a hyperlink in MS Word and prepopulate your default browser with the target container html.  The hyperlink with the target can refer to the name of the iframe, and it is supposed to open up in the iframe, but, of course, not in chrome. This is not working 100% of the time, even in other browsers, however.
We don't need this (target specified in MS Word hyperlink) to work directly from Word, however, since the hyperlink can open up a temporary new window/tab in the default browser and then target the iframe from that window/tab. But targeting an iframe in another window/tab does not seem to work in chrome.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
0
 

Author Comment

by:RogueCar
Comment Utility
Thanks for the link. I really appreciate your taking the time to look at this issue, as the Google support forums have been silent in response to my question.  Perhaps "Do no evil" has become the "See no evil" monkey.

It appears that Chrome is trying to keep each tab completely independent from the other tabs, and so it does not allow targeting of an iframe/frame/window from another tab.  This may be part of their sandbox strategy, but it is not directly dependent on "sandbox", because Chrome still misbehaves when I use the "-no-sandbox" startup parameter.
Of course, Chrome does NOT maintain complete independence of tabs. With complete independence, nothing done in one tab should affect another tab.  However, you can see that if tab A opens and populates tab B with, say, a hyperlink, then reissuing that same url from tab A will repopulate tab B, even if tab B has been used for navigation elsewhere.

So, it seems like the "independence" only applies to tabs that are not related.  
In addition, session cookies are shared across tabs, whether they are related or not, as long as their domain is the same.  So, when I open a new tab from a completely unrelated site, The server can see the session cookies established by other open tabs (assuming common domains). (NB, you won't see the cookies in the Resources tools of the Chrome browser, but they are there if you submit a form to the server.)

So much for Chrome tab "independence". My personal opinion is that complete tab independence would make Chrome even more unusable.

I think the sandbox idea may have infected the Chrome design and made the browser less usable (by preventing some inter-tab communication), without adding any security. The security of inter-tab communications is provided by ORIGIN and CROSS-FRAME scripting protections, which both FF and IE have implemented, not by some mistaken and standard-bending leaky firewall between tabs as Chrome has invented.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
As far as support forums go, you're the only one I've ever heard trying to do this.  And if that is really true then no one has given any thought to making it work the way you want.  IE has a kind of sandboxing also they call In-Private Browsing and I think that Firefox has something too.  It's not on all the time in those browsers.  The trend is to make 'non-standard' uses more difficult because 'bad people' and websites keep causing problems.
0
 

Author Comment

by:RogueCar
Comment Utility
I agree totally with your last sentence.

Sandboxing, as I understand it,  really has more to do with protection of the local file system from the browser rather than protection of one tab from another. But you are correct that Chrome has taken sandboxing to a new level.

As the browser developers continue to reduce functionality by inserting theoretical security restrictions, they are ignoring a major user community -- namely, those behind a firewall with substantial security restrictions on sites accessible from the browser.  These users do not need most of the theory-based browser restrictions because all the sites they access on a regular basis are secure and trusted.  By making a browser safe for a 5-year-old, the developers are making their products toys that are not industrial-strength nor capable of what you call non-standard.  BTW, the standard says that my targeting of iframes is supported, even though there may be other security restrictions that prevent it. I don't classify the use of a behavior "non-standard" just because no one posts it in a support forum.

I really appreciate your feedback. Unfortunately, since you have provided no workaround nor solution to the problem, I cannot mark it as fixed. Is there some way I could do a "resolved as non-fixable" status?
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 445 total points
Comment Utility
No, but the guidelines for this site say that "you can't do that" is an acceptable correct answer.  Says nothing about requiring solutions or 'marking it as fixed'.

Also, anti-virus programs are implementing 'sandboxing' of browsers and other programs to 'enhance security'.  You can expect this trend to continue.  The people who try to break into other people's computers are (if you ignore the script kiddies) some very bright and determined people.

While I understand your criticism of "browser developers", you are wrong about thinking it is merely theoretical.  Almost all 'security fixes' have come about because there actually have been problems.  The people who write browsers have no way of knowing who is going to be using them so they are stuck with having to 'protect' everyone who uses their products.  The way 'around' all those security limits is to write your own complete application that does not depend on browsers.  That's what people used to do.
0
 

Author Closing Comment

by:RogueCar
Comment Utility
I will reiterate that the deprecation of iframes by removing functionality was a theoretical fix based on a couple of Stanford hackers who found a way to put a layer on an iframe to get the user to click buttons.  The problem may have been real, but the (theoretical) solution that has been implemented is huge overkill.  The main problem with the solution is that it affects the sites like Google and Yahoo, which can no longer be iframe'd at all -- are they saying that their own web site is insecure? Foolishness.
I wonder how many people actually clicked wrong buttons and got scammed as a result?  And how many users are affected by the lack of functionality in iframes? (Try millions).

It seems to me that only a very few draconian solutions were sought to this problem, and one of them was adopted, to the detriment of many who are not protected by academic tenure and who need to make browser-based applications for their livelihood. Couldn't they just check the z-index of the input button and ensure that it is the same as the z-index of the visible page? Of course they could, but then they would not be as famous and disruptive of browser technology.

If we wrote a web-based application that used a non-standard front-end as you suggest, we would not be able to sell it.  I myself have built and sold those apps in the past, but we have moved on from there.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Google, Youtube, and Yahoo and several of my pages have code to prevent them from being displayed in a frame or iframe.  I did it as a test but I don't know why the others did except as a business decision.  You might be surprised at how many questions we get here from people who want to display other people's copyrighted material in a frame or iframe on their own site... as though it were their own.  Some get really upset when we tell them about why that is wrong and why some sites like Google don't allow it anymore.

Thanks for the points.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now