IE detects XSS when invoking a method in GWT class using window.opener

StackOverflow https://stackoverflow.com/questions/17074678

Question

I have a GWT application that opens a second browser window. I would like my second window to be able to call a method within the entry point of the first window.

The code sample below works in production (web) mode, but when I try running it in hosted mode, IE detects XSS and overwrites the page with a single "#" to protect against the detected attack. I'm guessing this is because my GWT code server is running on localhost while the application I'm testing is deployed on a virtual machine.

Update: It appears that IE XSS Filtering is sporadic. Sometimes I'm able to get the page to load. But awhile later it starts filtering again.

public class MainWindow implements EntryPoint {
    ...
    @Override
    public void onModuleLoad() {
        registerJSNIFunctions(this);
    }

    private native void registerJSNIFunctions(MainWindow mw) /*-{
        $wnd.sayHi = function (name) {
            mw.@MainWindow::sayHi(Ljava/lang/String;)(name);
        }
    }-*/;

    public void sayHi(String name) {
        alert("Hi " + name); // not valid, but you get the point
    }
    ...
}

public class SecondWindow implements EntryPoint {
    ...
    @Override
    public void onModuleLoad() {
        ...
        sayHi("kylos");
    }

    public static native void sayHi(String name) /*-{
        $wnd.opener.window.$wnd.sayHi(name);
    }-*/;
}

Any ideas on how I could get this to work in hosted mode? Or is there a better way to do cross-window communication with GWT?

Was it helpful?

Solution 2

So the issue seems to be sporadic. I'm not sure how exactly the filter gets triggered, but when it does, the rewritten page gets cached by IE so future requests are guaranteed to fail until the browser cache is emptied.

I also found this Microsoft document that describes a custom header, X-XSS-Protection, that can be used to disable the filter. Obviously, this should only be used on a dev system in hosted mode.

To disable the filter, add the following header to your server configuration:

X-XSS-Protection: 0

OTHER TIPS

Your question is quite interesting, see other´s opinion but I have done something similar using OAuth.

So, if the idea at the end is call from one Window to other some method I´d something like:

....
   #Maybe if you use window instead of top works as well
   $wnd.opener.top.location.replace(url);             
   $wnd.close();
   ....
....

And in the other browser wait for the new request, parse the url, and call "locally" to sayHi. Is this approach valid to you?

If you want further details about the Windows properties you can see W3Schools page

But basically:

  • $wnd.opener #returns Returns a reference to the window that created the window.
  • top #returns the topmost browser window
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top