Menu

iFrame quandry

Hojo
2014-06-30
2014-07-17
  • Hojo

    Hojo - 2014-06-30

    Thanks for your previous help. I'm running into another issue. In our code we have various iFrames that are being included depending on where the user is. Here is an example:

    <table class="box" cellpadding="0" cellspacing="0">
    <tr><td class="box_heading1">Ping Downs</td></tr>
    <tr><td class="box_body"><center>
      <iframe name="devicePingFrame" src="device_ping_downs.php" height="110" width="100%" frameborder="0"></iframe>
    </center></td></tr>
    </table>
    

    The iframe, when loaded as part of the page, doesn't get the csrfpId. Any suggestions for this scenario?

    Regards,
    -dave hojo

     
  • Pascal Buchbinder

    I can't imagine why this happens...

     
  • Hojo

    Hojo - 2014-07-02

    As I'm slowly starting to understand what's going on, I made this addition:

    function addToIframe(paramName,csrfId){
    var nodes = document.getElementsByTagName('iframe');
    for (var i = 0; i < nodes.length; i++) {
    var append = "&" + paramName + "=" + csrfId;
    var matched = nodes[i].src.match(/php/);
    if (matched){
    nodes[i].src += append;
    }
    }
    }

    It works until the iframe resubmits, at which time I get this which I'm at a loss to figure:

    error_log:
    [Tue Jul 01 23:06:37 2014] [error] [client 172.16.130.18] mod_csrf(020): request denied, no 'csrfpId' parameter in request, action=deny, id=-, referer: http://.../../device_ping_downs.php?GID=kh6tf5vikms8mmjv2223nr7k90&csrfpId=9kpxJBXG5m9Rk6WHUFgbMwf5Iczo24v7MioUy5sAF-XPlNz9drulUH9cpktnxj4t

    access_log:
    172.16.130.18 - - [01/Jul/2014:23:06:37 -0400] "GET /../device_ping_downs.php?GID=kh6tf5vikms8mmjv2223nr7k90 HTTP/1.1" 403 330 "http://.../../device_ping_downs.php?GID=kh6tf5vikms8mmjv2223nr7k90&csrfpId=9kpxJBXG5m9Rk6WHUFgbMwf5Iczo24v7MioUy5sAF-XPlNz9drulUH9cpktnxj4t" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

    My only guess is that after the first time device_ping_downs.php ran, the server wanted a new csrfpId for the subsequent reload?

    access_log

     
  • Pascal Buchbinder

    First: The injected script is only executed when loading the HTML page (same within an iframe). A far as I know, it is also possible to register functions to DOM tree changes. I guess such an approach could be used to add the id to HTML nodes which are loaded after the initial script execution. But be aware, that this kind of JS may have impact to the performance (JS processing within the browser).

    Second: You may add HTML nodes and their attributes to the provided csrf.js script if you need. The "types" array is intended to be used for this.

    var types = [
             ["a",          "href" ]
             ];
    
     
  • Hojo

    Hojo - 2014-07-02

    Thanks for the head up. I'll see about registering the script in the iframe and leveraging the types array.

     
  • Johannes

    Johannes - 2014-07-17

    Hi,
    I extended the types array and it is injecting fine on first execution:

    var types =
    ["a", "href"
    ,
    ["iframe", "src" ]
    ];

    But when I execute the form (post-submit) of the iFrame it is not executing the csrf.js again. When clicking on the submit-button it is regenerating the page inside the iframe, but the js is not parsing the DOM.

    Any help is apreciated
    Best,
    Johannes

     

    Last edit: Johannes 2014-07-17

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.