JavaScript

After window.open(), how do I access objects and scripts in the other window?
First, be sure to assign an 'opener' property to the new window if you are using a version of JS that doesn't do it automatically (Nav 3.0x and MSIE 3.0x do it automatically). The following script should be a part of _every_ new window creation:
var newWind = window.open("xxx","xxx","xxx") // u fill in blanks 
if (newWind.opener == null) { // for Nav 2.0x 
   newWind.opener = self // this creates and sets a new property 
}


To access items in the new window from the original window, the 'newWind' variable must not be damaged (by unloading), because it contains the only reference to the other window you can use (the name you assign as the second parameter of open() is not valid for scripted window references; only for TARGET attributes). To access a form element property in the new window, use:

newWind.document.formName.elementName.property


From the new window, the 'opener' property is a reference to the original window (or frame, if the window.open() call was made from a frame). To reference a form element in the original window:

opener.document.formName.elementName.property


Finally, if the new window was opened from one frame in the main browser window, and a script in the new window needs access to another frame in the main browser window, use:

opener.parent.otherFrameName.document.formName. ...
What does the IE4 "Access Denied" error mean when accessing a new window?
A. The "Access Denied" error in any browser usually means that a script in one window or frame is trying to access another window or frame whose document's domain is different from the document containing the script.

How can a script in one frame access data in another frame, when the domains of the respective frames are not the same?

In the following discussion, we use a scenario in which an organization (client.com) is attempting to integrate content from one server with another server or from two different vendors (www.lmsvendor.com and www.lcmsvendor.com). The first step is for the client.com to map the two systems as follows: lmsvendor.client.com and lcmsvendor.client.com.

Next, the "LMS" vendor can expand the range of access to a suffix of the site name space. For example, a page on the lmsvendor.client.com can use the document.domain property to set the access level to client.com as opposed to lmsvendor.client.com; that is, up to the second-level domain. The following JavaScript code provides an example of how this is done:

document.domain = document.domain.substring(document.domain.indexOf('.') + 1);
Similarly the "LCMS" vendor sets up the document.domain property to client.com. Please note that this JavaScript statement needs to be included in each page of the system presented in the Web browser. Since only pages from a site whose name ends with client.com will permit this domain to be set, it is assured that content from the same provider mutually agrees to interact and is free to do so. Please refer to:
http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp for more information.

The above solution works well for simple Web pages, however the following scenarios provide a few exceptions and some additional workarounds.

Scenario #1: Modifying the contents of a frameset using JavaScript in another frame or the parent frameFor example, the following code generate a permission denied error even though you have put the document.domain code in every page:

frames["frame1"].window.document.open() 
frames["frame1"].window.document.write('<HTML><BODY>New Frame Text</BODY></HTML>') 
frames["frame1"].window.document.close()
The following JavaScript code seems to address the above problem:
frames["frame1"].window.document.write('<script language="javascript"> 
document.domain=top.document.domain ;</' + 'script>') 
frames["frame1"].window.document.write('<HTML><BODY>New Frame Text</BODY></HTML>') 
frames["frame1"].window.document.close() 

Note:1) Do not use the document.open() call. Once you make this call you will get a permission denied error when you do the document.write()

2) The first line of code should write to the frameset the JavaScript code snippet that sets the domain security bounds

Scenario #2: Opening an empty new browser window and writing some text in it from the opener window:

For example, the following JavaScript creates a popup messages that works well if cross-domain security is not an issue, but it generates a ‘permission denied’ error after the first document.open() call:

newWindow = window.open("", "popup") 
newWindow.document.open() 
newWindow.document.write("Popup window text") 
newWindow.document.close() 
The following workaround seems to provide the resolution:

1) In the opener window assign the text you want in the popup window to a global variable

2) Open a valid HTML file in the new window where you want to display the popup message

var strPopupText = "Popup window text" 
newWindow = window.open("popup.htm", "popup") 
3) In the file "popup.htm" have the following two lines of JavaScript code to set the document domain and write out the popup message text stored in the variable in the opener window
document.domain = document.domain.substring(document.domain.indexOf('.') + 1); 
document.write (window.opener.strPopupText)
Conclusion

The cross-domain security problem can be effectively resolved by expanding the security access by mapping two disparate domain names onto a common domain name suffix. While the proposed solution does not solve the cross-domain issue (for example, www.lmsvendor.com and www.lcmsvendor.com will not work in the context of SCORM specification), however, it does provide an effective work-around within the current specification provided different vendors/organizations agree to implement this work-around based on customer-driven need or mutual interest.

In the future, better client-side, browser based security measures or server-to-server side communication protocols may handle this issue more elegantly.

Comments:

Questions:

See also: