Safely avoiding the "access denied" dialog [How to: Work around the access denied cross-domain IFRAME issue in the AJAX Control Toolkit]
**
This blog has moved to a new location and comments have been disabled.
All old posts, new posts, and comments can be found on The blog of dlaa.me.
See you there!
Comments
Anonymous
February 05, 2007
PingBack from http://weblogs.asp.net/bleroy/archive/2007/01/31/how-to-work-around-the-quot-access-denied-quot-cross-domain-frame-issue-in-asp-net-ajax-1-0.aspxAnonymous
February 06, 2007
在iframe或frame中使用另一个域名的ASP.NETAJAX或Toolkit页面,会得到cross-domainaccessdenied错误。BleroyAnonymous
February 06, 2007
在iframe或frame中使用另一个域名的ASP.NET AJAX或Toolkit页面,会得到cross-domain access denied错误。 Bleroy 和 Delay 分别post了两篇文章,详细讲述了引起问题的原因以及如何解决。如果你也遇到了这个问题可以参考。Anonymous
February 07, 2007
Thanks for the solution. It worked on IE7 but IE6 is still giving me the same errors.Anonymous
February 07, 2007
The comment has been removedAnonymous
February 08, 2007
Thanks a lot. With you tip, <a href="http://fusion.google.com/add?moduleurl=http://www.myunitconverter.com/Module/UnitConv/DynamicUnitConvertor/Gadget/GadgetGoogle.xml"> it is now working</a>Anonymous
March 20, 2007
Veramente il problema è più generale e riguarda un bug della versione 1.0 di AJAX, come segnalato ancheAnonymous
July 10, 2007
参考网址:http://support.microsoft.com/kb/936993/zh-cnhttp://weblogs.asp.net/bleroy/archive/2007/01/31/ho...Anonymous
August 21, 2007
case Sys.Browser.InternetExplorer: Sys.UI.DomElement.getLocation=function Sys$UI$DomElement$getLocation(a) { if(a.self||a.nodeType===9) return new Sys.UI.Point(0,0); var d = a.getClientRects(); if(!d || !d.length) return new Sys.UI.Point(0,0); var inFrame = false; // Get the first bounding rectangle in screen coordinates var screenRects = element.getClientRects(); if (!screenRects || !screenRects.length) { return new Sys.UI.Point(0,0); } var first = screenRects[0]; // Delta between client coords and screen coords var dLeft = 0; var dTop = 0; try { inFrame = a.ownerDocument.parentWindow.frameElement; } catch(ex) { inFrame = true; } if(!inFrame) { var e=a.ownerDocument.parentWindow; var g=e.screenLeft - top.screenLeft - top.document.documentElement.scrollLeft + 2; var h=e.screenTop - top.screenTop - top.document.documentElement.scrollTop + 2; var c=e.frameElement||null; if(c) { var b=c.currentStyle; g+=(c.frameBorder||1) * 2 + (parseInt(b.paddingLeft) || 0) + (parseInt(b.borderLeftWidth) || 0) - a.ownerDocument.documentElement.scrollLeft; h+=(c.frameBorder||1) * 2 + (parseInt(b.paddingTop) || 0) + (parseInt(b.borderTopWidth) || 0) - a.ownerDocument.documentElement.scrollTop; } var f=d[0]; return new Sys.UI.Point(f.left-g,f.top-h); } else { // Get the bounding rectangle in client coords var clientRect = element.getBoundingClientRect(); if (!clientRect) { return new Sys.UI.Point(0,0); } // Find the minima in screen coords var minLeft = first.left; var minTop = first.top; for (var i = 1; i < screenRects.length; i++) { var r = screenRects[i]; if (r.left < minLeft) { minLeft = r.left; } if (r.top < minTop) { minTop = r.top; } } // Compute the delta between screen and client coords dLeft = minLeft - clientRect.left; dTop = minTop - clientRect.top; // Subtract 2px, the border of the viewport (It can be changed in IE6 by applying a border style to the HTML element, // but this is not supported by ASP.NET AJAX, and it cannot be changed in IE7.), and also subtract the delta between // screen coords and client coords var ownerDocument = element.document.documentElement; return new Sys.UI.Point(first.left - 2 - dLeft + ownerDocument.scrollLeft, first.top - 2 - dTop + ownerDocument.scrollTop); } }; break;Anonymous
October 22, 2007
Hi! I am having the Access Denied javascript error, but the it only happens on our integration server. This only happens when the page has been left unattended for a while. This happens on IE 6 & 7. I tried your fix, but I still have the same problem. Below is the code that breaks: switch(Sys.Browser.agent) { case Sys.Browser.InternetExplorer: Sys.UI.DomElement.getLocation = function Sys$UI$DomElement$getLocation(element) { /// <param name="element" domElement="true"></param> /// <returns type="Sys.UI.Point"></returns> var e = Function._validateParams(arguments, [ {name: "element", domElement: true} ]); if (e) throw e; if (element.self || element.nodeType === 9) return new Sys.UI.Point(0,0); var clientRects = element.getClientRects(); if (!clientRects || !clientRects.length) { return new Sys.UI.Point(0,0); } var w = element.ownerDocument.parentWindow; var offsetL = w.screenLeft - top.screenLeft - top.document.documentElement.scrollLeft + 2; var offsetT = w.screenTop - top.screenTop - top.document.documentElement.scrollTop + 2; var f = w.frameElement || null; if (f) { var fstyle = f.currentStyle; offsetL += (f.frameBorder || 1) * 2 + (parseInt(fstyle.paddingLeft) || 0) + (parseInt(fstyle.borderLeftWidth) || 0) - element.ownerDocument.documentElement.scrollLeft; offsetT += (f.frameBorder || 1) * 2 + (parseInt(fstyle.paddingTop) || 0) + (parseInt(fstyle.borderTopWidth) || 0) - element.ownerDocument.documentElement.scrollTop; } Any help will be appreciated. ThanksAnonymous
October 22, 2007
ojaytee, If you're having to patch the Toolkit, then you're probably on a fairly old release. I'd recommend upgrading to a more recent Toolkit version like the 10920 release. However, what seems more likely to be the issue is that the code you pasted is ASP.NET AJAX (not Toolkit) code that does not appear to have been patched per the instructions at http://weblogs.asp.net/bleroy/archive/2007/01/31/how-to-work-around-the-quot-access-denied-quot-cross-domain-frame-issue-in-asp-net-ajax-1-0.aspx. I'm guessing that someone patched most of your servers but missed the problematic integration server somehow. Hope this helps!Anonymous
October 22, 2007
Hi! Delay, Thanks for your promp response. I very new to AJAX and some og my questions may sound a bit dull. Just a few questions:
- Is it normal for this issue to occur only when the page has been left unattended for a while.
- I had chat with our server administrator, who is not even aware of this issue and he mentioned that the AJAXExtensionsToolbox.dll does not exist in the ASP.NET 2.0 AJAX Extensionsv1.0.61025 directory on the server. Do we need the toolkit on the server as well or the DLLs will be deployed the the server with the application.
- The other issue is that we have other applications running on the very same server, but they are not affected by this issue. These applications are using the same architecture. How could this only affect our application? I will ask our server admin to apply the patch and feed you back the results. Thanks, John
- Anonymous
October 22, 2007
John,
- I'm not sure why this would be more likely if the page has been left unattended as it's my understanding the problem is either present or not. One thing that I wonder about is if you're load-balancing and the delay causes a different server to be hit? (One that wasn't patched.)
- I can't speak for the ASP.NET AJAX patching process, but regarding proper AJAX Control Toolkit install, all it takes is for AjaxControlToolkit.dll to be in your web site's /Bin directory (on all web servers).
- As I recall, the ASP.NET AJAX patching process ends up being per-application because of the way it requires modifying the way ScriptManager is defined/used in your pages.
Anonymous
October 24, 2007
Hi, i'm in production with an application written in ASP.NET 2.0 (Ajax Enabled) and we have this problem. Since issue is know and i read that for Orcas has been fixed, is there similar fix (into the DLL) release from MS to support people that develop application AJAX Enabled with ASP.NET 2.0? Thanks a lot, AndreaAnonymous
October 25, 2007
Andrea, I believe that the official ASP.NET AJAX 2.0 patch is detailed in the blog I link to in my original post: http://weblogs.asp.net/bleroy/archive/2007/01/31/how-to-work-around-the-quot-access-denied-quot-cross-domain-frame-issue-in-asp-net-ajax-1-0.aspx.Anonymous
October 25, 2007
Hi Delay, yes, i read the post some weeks ago but i wrote you because i also read : "This fix implies that you stop using the resource-based scripts and use the static file versions instead. I expect this is the fix that will be in the next service release, so when the next release of System.Web.Extensions happens, you will want to revert to using the resource-based scripts to get any other fixes or changes that are made." So because the post was written in 31 January i beleave that a release version (not a workaround)of "System.Web.Extensions" was now present for people that use AJAX in ASP.NET 2.0. Thank you very much. AndreaAnonymous
October 26, 2007
Andrea, The latest ASP.NET AJAX release was created in mid-January based on the dates in my C:Program FilesMicrosoft ASP.NETASP.NET 2.0 AJAX Extensionsv1.0.61025 directory. I'm not aware of any subsequent releases, so the advice Bertrand gave should still be relevant today. Please note that there is a new ASP.NET AJAX release coming as part of .NET 3.5 which should be finalized sometime in the coming months. I can't say for sure whether this particular issue was addressed there (check with Bertrand to be sure), but I'd expect that it was.Anonymous
November 06, 2007
so i went and downloaded the new ajax toolkit 10920 from codeplex. I was still getting the error so iAnonymous
March 15, 2008
The Cross-Domain issue with Ajax has bothered me for a while, it limits Ajax to a thin-client role and prevents Ajax from fulfilling the syndication niche - where what I want is <i>expressly</i> to allow others to direct data requests to me from their sites. It strikes me that the solution is really very simple: Change XMLHttpRequest to request the specified document, but if the server does not return an "XMLHttpRequest: Allowed", then perform the current behavior. You could even have XMLHttpRequest provide a specific header - e.g. "XMLHttpRequest: {originating page}" in the GET/POST request so that the remote server can respond accordingly: e.g. it might return an annotated XML file including comments when someone queries an XML file directly from their browser, but sends a more compact version otherwise.Anonymous
March 16, 2008
kfsone, I don't have enough context to comment on your idea, but if you post it to the "ASP.NET AJAX Discussion and Suggestions" forum at http://forums.asp.net/1007.aspx, the people there can probably give you a lot of great feedback!Anonymous
April 05, 2008
Cross domain calls by means of iframe – IE Browser restrictions and solutions All modern web browsersAnonymous
April 17, 2008
So I tend to describe a lot of issues here, but we had some really great conversation in our blog chat. Anonymous
July 31, 2008
Uno de los grandes problemas que tenemos en lo referente a seguridad web, son los temido ataques "cross-siteAnonymous
July 31, 2008
lank_page Uno de los grandes problemas que tenemos en lo referente a seguridad web, son los temido ataquesAnonymous
August 16, 2010
RalphCEO's comment worksAnonymous
November 14, 2010
Query about sidestepping the whole problem by simply not using cross-domain frames: Will it resolve the problem if the framed site using Ajax uses a subdomain alias of the host page domain? E.g., if I use Ajax on a page hosted at sub.mydomain.com, and I display that site in an iframe on a page at www.mydomain.com, will this avoid the issue?Anonymous
November 15, 2010
SDG, I'm afraid I'm not sure - enough has changed since I wrote this post that I'm sure anything I remember about this is at least partially wrong. Per the above, both ASP.NET AJAX and the AJAX Control Toolkit should have been fixed (or be easily fixable), so I'm hopeful this doesn't need to be much of a concern anymore!