Cross-Domain Communication With IFRAMES And PHP

Hi

I am working on a project that requires sending a PHP variable value generated from a web page that is displayed in another page using an iframe, to the other page. From the other page, I want to POST the received value to a third page for processing (by PHP).

I want to use window.postMessage to send the data from the web page to the other page.

I am using IE 9.

I've uploaded 2 HTML pages. The first is index.html. This is what I refer to as the "other page" above. The second page is iframe-content.html. This is what I refer to above as the "web page". So, I want to send a PHP value from iframe-content.html to index.html.

Once in inde.html, the value has to be POSTed to a third page.

I have done much searching on the web for information on how to do all this, but so far, nothing I've found works. This might be because of my gross lack of knowledge of JavaScript and cross domain communication (so that, I'm not understanding the examples, etc. well enough).

FYI, for the TargetOrigin, I am using the domain: magweb.mfs.local, which goes to a Linux box on our office network, running Apache, PHP, MySQL.

Thanks very much.
index.html
iframe-content.html
MaglinFurnitureAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

COBOLdinosaurCommented:
Let me give you the definitive answer.  You can't do that.  It is a security violation to protect servers from attack.  Every modern browser has specific safeguards to prevent script in a web page from referencing anything on another page whether is it is in an iframe, another window or even in an object tag.

An transfer you want to do will have to happen on the server side where a trusted relationship can be established.

Cd&
0
COBOLdinosaurCommented:
If it is just an internal app on an intranet then you can bypass some security limitations in IE using an HTA instead of a web page, but you would need to be careful about deployment because it opens an internal attack vector..

Cd&
0
MaglinFurnitureAuthor Commented:
@COBOLdinosaur

That's weird. I am under the impression, from what I have read on the web, the point of the window.postMessage functionality is to provide security in the transaction. Are you saying this is not the case?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

COBOLdinosaurCommented:
The latest documentation (2013/09/25) Appears to be indicating limited support in IE.  If you are not using a transfer object you might be able to get it working based on the sample coding here:

https://developer.mozilla.org/en-US/docs/Web/API/window.postMessage

However, You need to be careful how you use it and who has access to it because there are security issues with it, and don't count on it remaining in browsers if the hackers find ways to exploit it.  Within the W3C standard it is still only a candidate recommendation.

Cd&
0
MaglinFurnitureAuthor Commented:
@COBOLdinosaur

Thanks for your advice. I was actually hoping for some code example, using the pages I uploaded. I have seen the reference you provide here, but, it didn't gel with me, probably because of my lack of knowlegde, mentioned above.

I've since found an example that I hope will allow me to proceed. In case there is any interest, it can be foound here:

http://javascript.info/tutorial/cross-window-messaging-with-postmessage

I've tested this and found it to work.

I agree absolutely that security is a primary concern. (It is one of the reason we have always used server side scripting for validation, instead of, well, JavaScript!)

Anyway, at present ,this is all only experimental.

Thanks~
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
COBOLdinosaurCommented:
I'm glad you got it working.  As long as you are aware that security needs to be kept tight on it you should be alright.

Cd&
0
MaglinFurnitureAuthor Commented:
Code example best suited to what I was looking for.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.