Expert Needed!!! - "Permission denied to get property..."

[spam_banjo]

Right... I've really been looking hard into this one and seem to be getting nowhere.

The problem is on the 'Domain Selections' part of this page.

The form is a basic request for information to help us set up new sites to our content management system, and set up monthly payments via Paypal.

I have set up an area near the bottom of the page to list, and check availability of 3 domain names our customers would consider as they're address. There is an iFrame on the page (the red one - It's normally hidden!) that goes of to another of our sites and checks for availability of the domain.

The frame is then sent back to a page on same domain as the parent, with query string variable for the name of the domain, a reference number (for the form field, img, etc) and the result of the availability (1/0).

These variables can be seen in the following order in the red iframe after you click the little clock icon:
[REF NO] - [DOMAIN NAME] - [IS AVAILABLE]

-------------

This is where my problems start.

For some reason I am getting an "Error: uncaught exception: Permission denied to..." on anything I try to do to get the answers back to the parent page. I've tweaked and messed around loads, but for the life of me can't get it to work.

I know there is a permissions issue when doing things like this across domains, hence landing on a local page before attempting to pass anything back... but could the fact that the frame has been to another site be causing my problems?!?!?!?

Any help would be greatly appreciated.

[jscheuer1]

Without looking under the hood of your page, which I may do later if need be, I can tell you that grabbing content from another domain via javascript isn't allowed. However, if the page in the iframe is truly on the same domain as the top page at the time that the information is requested from it, it should be available.

Now, even when both pages are on the same domain, if one is using the DNS version of the URI and the other is using the numbered version (I noticed that your link used the numbered version, so your top page is numbered), even if they are both on the same domain, the browser won't know it. I think this may even happen if one page uses:

www.

and the other does not. Best to have both pages use the exact same form of the DNS URI, as in some situations, the numbered version will be converted without your knowledge. This can be especially true in a case like an iframe, where you don't actually see the URI.

In any case, if you haven't used some sort of server side code in the first place to fetch the off site content to a page on the local server, you will never overcome the security requirement.

[jscheuer1]

OK, I'm getting this error:

Error: prevframe is not defined
Source File: http://87.194.16.86:777/?ref=7&w=w#domains
Line: 135

Code:

function loadpage(){

//	alert('loaded') ;
	prevframe.location='images/the_images.asp' ;

}

And the connection is timing out on (FF):

The server at 192.168.1.69 is taking too long to respond.

Opera:

You tried to access the address http://192.168.1.69:777/4site-iframe_postback.asp?domain_name=scouter.co.uk&domain_number=2&answer=0, which is currently unavailable. Please make sure that the Web address (URL) is correctly spelled and punctuated, then try reloading the page.

[spam_banjo]

Dunno what has happened... everything fine this end.

Would you mind looking again for me please?!?

[spam_banjo]

OK, I'm getting this error:

Code:

function loadpage(){

//	alert('loaded') ;
	prevframe.location='images/the_images.asp' ;

}

And the connection is timing out on (FF):



Opera:

Sorry I only just read that properly... My mistake... Damn LAN!!!


Will fix if you wouldn't mind another glance

[jscheuer1]

I'm still getting that error, but not the other one I had mentioned. It appears that:

Code:

Error: prevframe is not defined
Source File: http://87.194.16.86:777/?ref=7&w=w#domains
Line: 135

is unrelated to the functionality of the domain check routines, which are now working in IE 7, Opera 9.24, and FF 2.0.0.11.

However, in IE 7 I get a phishing filter warning:

"Suspicious Website"

A website that is flagged as suspicious has some of the characteristics typical of phishing websites, and it is neither on the list of legitimate websites that is stored on your computer nor on the online list of reported phishing websites. The website might actually be legitimate, but you should not submit any personal or financial information to it unless you are certain that the site is trustworthy.

[spam_banjo]

Thanks for that buddy... clearly the second IP not being updated caused the problems.

However, in IE 7 I get a phishing filter warning:

"Suspicious Website"

Any idea what could be causing that other than the use of the IP address?!?


The script goes off to a page in sites4biz.co.uk to use the whois function... although I've not had any messages from methods like this before.

[jscheuer1]

After that happened, I looked into it a bit. "Suspicious Website" merely means that according to the evolving heuristics of Microsoft's anti-phishing servers, that the web site could either be a phishing site or a site vulnerable to XSS (cross site scripting). At first blush, one might assume it is because content from another domain is being fetched. However, since these heuristics also include detection of sites that request personal information (like information on a user's PayPal account - as your page does) that do not have SSL, it might be that. From the MS whitepaper:

Best Practices
Although there are obviously many aspects of filtering technologies that cannot be publicly disclosed, Microsoft is encouraging legitimate Web service providers (many of which are small businesses without the IT resources of larger providers) to follow some simple rules that can help avoid the “yellow warning button”:

• Certification. If Web site owners intend to ask users for personal information, they should have secure sockets layer (SSL) certification.
  
• Security. Legitimate Web site owners should continually make sure their sites are as secure as possible from outside attacks by maintaining up-to-date firewalls and installing all necessary security updates.
  
• Cross-site scripting attacks. All Web site owners should be protecting themselves by using anti-cross-site scripting attack tools.
• External content. If a Web site intends to post external or third-party content, it is recommended that the content be secure and from a known and trusted source

If you feel your site has been unjustly labeled as Suspicious, and that it isn't vulnerable itself, you may request a review by loading your site in IE 7 and clicking on the "Suspicious Website" alert and following the links for doing so. Reviews are promised to be reasonably fast and impartial.

Suspicious means only that, it doesn't mean that there is anything necessarily wrong going on. But there could be some problem that you aren't even aware of, something other than what we've already covered in this thread, perhaps.

[spam_banjo]

However, since these heuristics also include detection of sites that request personal information (like information on a user's Paypal account - as your page does)

Interesting. The Paypal information is not requested until the next page, which is obviously Paypal hosted. Seems strange that I would be flagged as suspicious. I'm using Paypal BECAUSE I can't use SSL at this time.

I'll look into it more immediately.

Thanks for your help.
Once again the forums have done me proud.

I like it here!!!

Thanks again!