Frames and windows

Popup windows

  1. The modern use
  2. The syntax of
  3. Example: a minimalistic window
  4. Accessing the new window
  5. Accessing the opener window
  6. Summary

A popup window is one of the oldest methods to show additional document to user.

Basically, you just run:'')

… And it will open a new window with given URL. Most modern browsers are configured to open new tabs instead of separate windows.

The "Same Origin" security policy

  1. Demo
  2. Can’t get but can set
  3. The document.domain exception
    1. Example
  4. IE exceptions to Same Origin policy
  5. Cross-window messaging
  6. Summary

The “Same Origin” policy limits the access of one window to another.

The reason behind that is security. If you have in one window and in another one, then you’d not want a script from to access or modify your mail or run actions in context of gmail on your behalf.

Cross-window messaging with postMessage

  1. Example
  2. The receiving side
  3. Nifty details
  4. Summary

Cross-window messaging API is supported by all modern browsers including IE8. It allows windows/frames from multiple domains to communicate with each other.

Browser window properties and methods

  1. Closing the window
  2. The title
  3. Moving and resizing the window
  4. Scrolling the window
  5. System-related properties
    1. The navigator property
    2. The screen property

The dualistic window object provides global JavaScript object and browser window interface.

In this section we concentrate on the browser part.

Focus/blur methods and events

  1. The focus method
  2. The getAttention recipe (for popup)
  3. The onfocus event
  4. Cases when the onfocus doesn’t work
  5. The getAttention recipe (main window)
  6. Summary

Both checking if the window is focused and focusing on a window/tab is tricky.

That’s partially because the focus/blur event do not bubble, and partially because the browser window is a part of OS and JavaScript is not integrated with the OS window manager.

Also, the security is important here, because the JavaScript focus/blur may not override a user’s will.

Still, let’s find out what we can do and see the possible pitfalls.

The Clickjacking attack, X-Frame-Options

  1. Clickjacking
  2. Defences and the ways to break through
    1. Blocking top navigation
    2. Other ways to workaround frame busting
    3. The reliable frame busting defence
  3. X-Frame-Options
    1. Demo
  4. Summary

The Clickjacking attack allows to perform an action on victim site on visitor’s behalf.

Many sites were hacked this way, including Twitter and Facebook (both fixed).