Inheriting gwtquery in module that is injected into a page, throws security exception in browser

[GoogleCodeExporter]

I have written a script using GWT that is added to a web page (using a 
bookmarklet to inject it into the web page you are viewing). 
This is compiled with the cross site GWT linker, so it can be loaded and 
inspect the DOM of the page it is added to.

I wanted to use gwtquery within this script, to make it easier to search for 
specific elements in the page, using selectors.

However, just adding the inherit to my module:
        <inherits name='com.google.gwt.query.Query'/>

causes my script to fail when run with the following error reported (Chrome 
15.0.874.121 on Mac OS X 10.6.8)

        Unsafe JavaScript attempt to access frame with URL http://{web page} from frame with URL {script url on my server, where it is loaded from} Domains, protocols and ports must match.

I am NOT calling any gwtquery code yet, so it must be in an entry-point method 
that is invoked just by inheriting the module.

I have overcome these single origin problems alreayd in my script and I use 
other GWT modules and third-oarty GWT JARs in my module that I build my script 
from...

Thanks for any fixes or workarounds or ideas to allow me to use gwtquery in 
such a script.

Original issue reported on code.google.com by andrew.m...@bcntouch.com on 25 Nov 2011 at 11:59

[GoogleCodeExporter]

Hello,

If you use the XS linker, the gwt script shouldn't be loaded in an iframe, or I 
do not understand you problem.

Anyway, I have tried to compile a new project with XS and it works for me:

Create a new project with the gquery archetype
$ mvn archetype:generate  -DarchetypeGroupId=com.googlecode.gwtquery  
-DarchetypeArtifactId=gquery-archetype -DarchetypeVersion=1.1.2  
-DgroupId=com.mycompany  -DartifactId=myproject -DprojectName=MyProject
$ cd myproject

Edit the module description file and add the XS linker
$ vi ./src/main/java/com/mycompany/myproject/MyProject.gwt.xml 
...
  <add-linker name="xs"/>
...

Compile the project
$ mvn clean package -Dmaven.test.skip

Run it in Chrome
$ google-chrome target/myproject-1.0-SNAPSHOT/index.html

Could you send an example of how to reproduce the issue?

Thx
- Manolo

Original comment by manuel.carrasco.m on 18 Dec 2011 at 4:27

[GoogleCodeExporter]

I beg your pardon, I was inaccurate in my initial post. 

I am using the XS iframe linker:

    <add-linker name="xsiframe" />

I could revisit that subject (prefer not to), but I think I had to use that 
linker (not the xs linker) to get the script loaded by the bookmarklet OK. 

To be clear. I have a handwritten bookmarklet that does the usual bookmarklet 
thing:
- createElement (a script element, whos source is the "myscript.nocache.js" JS 
compiled by GWT and hosted on my server
- appendChild to the current page

If you tell me that xsiframe will be obsoleted in the future and xs will be the 
only cross site linker, then I may revisit the subject sooner :-) 

Original comment by andrew.m...@bcntouch.com on 21 Dec 2011 at 12:08

[GoogleCodeExporter]

Ok, I got it.

It is supposed that xs linker will become obsolete, so use it right now as a 
workaround in the mean time we fix the issue.

Thanks
- Manolo

Original comment by manuel.carrasco.m on 21 Dec 2011 at 6:21

• Changed state: Accepted

[GoogleCodeExporter]

Hello, 

I've followed the steps in comment #1, but changing <add-linker name="xs"/> by 
<add-linker name="xsiframe"/>. 

Then I have deployed the app html page in a domain which calls the script in a 
different domain:
http://mydomain.com/MyProject.html
...
  <script language="javascript" src="http://myotherdomain.com/MyProject.nocache.js"></script>
...

But I do not see the error, could you provide another example I could use to 
see the problem and eventually fix it.

Thank you
- Manolo

Original comment by manuel.carrasco.m on 23 Dec 2011 at 9:23

[GoogleCodeExporter]

I saw the error while developing on my local development server in eclipse (due 
to the error I never deployed to a website).

The bookmarklet was configured to add my script from my development server 
(127.0.0.1:888).

I will reproduce now and see if I can give you more info or a simpler set-up to 
reproduce it, but it might not be easy to separate from my project without 
significant work... so I hope the local server comment above helps you 
reproduce it in the meantime.

Original comment by andrew.m...@bcntouch.com on 29 Dec 2011 at 10:28

[GoogleCodeExporter]

No way to reproduce the issue, I know several gquery apps in production using 
xs and xsiframe and they works ok, let me know if it continues being a problem 
for you.

- Manolo

Original comment by manuel.carrasco.m on 10 Sep 2012 at 9:37

[GoogleCodeExporter]

Hola Manolo,

I have gone back to look at this, and I still have the problem. 

Maybe it's related to some Cross-Domain problem, where the bookmark tries to 
inject the (GWTQuery included) script into the current page, when loaded from 
elsewhere.

I think the setup should be:
- script compiled with GWTQuery and served from your server (say local: 
127.0.0.0:8888)
- have a bookmarklet/extension to inject it into the current web page...
- open a web page (maybe with a specific DOC type?) and run the bookmarklet
- the script won't be injected and you will see errors reported in Chrome 
console.

If I can help you reproduce it somehow, then please let me know.

Tools
=====
Mac OS X 10.7.4
Chrome Version 21.0.1180.89
Eclipse Indigo Service Release 2
Build id: 20120216-1857

GWT 2.4.0

Bookmarklet
===========
You can install the bookmarklet from http://ta.bcntouch.com. You may be offered
the Chrome extension install if you are using Chrome. In that case you can get 
the 
bookmarklet (drag to your bookmarks bar) here: 
http://ta.bcntouch.com/v/addit/learn-more

You can install my Chrome Extension called "Addit" that does the same thing as 
the bookmarklet
from the Web App Store: They both inject the Addit script into the current web 
page.

Chrome Error when used with GWTQuery
====================================
I load the page http://http://www.elcorteingles.es/ and then invoke my 
bookmarklet which
loads the script into the current page from my local server...

Chrome reports in the console:

Unsafe JavaScript attempt to access frame with URL http://www.elcorteingles.es/ 
from frame with URL 
http://127.0.0.1:8888/addit/C37749D4F4226615FC5765953F6F7490.cache.html. 
Domains, protocols and ports must match.
 C37749D4F4226615FC5765953F6F7490.cache.html:2
(anonymous function) C37749D4F4226615FC5765953F6F7490.cache.html:2
Unsafe JavaScript attempt to access frame with URL http://www.elcorteingles.es/ 
from frame with URL 
http://127.0.0.1:8888/addit/C37749D4F4226615FC5765953F6F7490.cache.html. 
Domains, protocols and ports must match.
 C37749D4F4226615FC5765953F6F7490.cache.html:1461
(anonymous function)

Module GWT XML File:
====================
<?xml version="1.0" encoding="UTF-8"?>
<module>
    <!-- Cross site linker -->
    <inherits name="com.google.gwt.core.Core" />
    <add-linker name="xsiframe" />

    <!-- If I insert this line it causes the failure described,
         even though I do not use any GWTQuery code in my project (yet)
    -->
    <inherits name="com.google.gwt.query.Query" />

    <!-- Inherit the Internationalization stuff. -->
    <inherits name="com.google.gwt.i18n.I18N" />

    <!-- GWT classes for parsing JSON responses -->
    <inherits name="com.google.gwt.json.JSON" />

    <!-- this is needed for the JSONAsyncRequest -->
    <inherits name="com.bcntouch.ta.JSON.JSON" />

    <inherits name="com.bcntouch.ta.Addit.Core.AdditCore" />
    <inherits name="com.bcntouch.ta.Addit.ProductParsers.ProductParsers" />

    <inherits name="com.bcntouch.ta.Products.Data.Data" />

    <!-- Inherit the property provider that detects the form factor of the users device -->
    <inherits name="com.bcntouch.ta.FormFactor" />

    <!-- Inherit a property provider that detects the locale of the host page for the bookmarklet -->
    <inherits name="com.bcntouch.ta.LocalePropertyProvider" />

    <!-- Deferred binding of AdditPanel abstract class -->
    <!-- Default implementation -->
    <replace-with class="com.bcntouch.ta.Addit.Bookmarklet.client.AdditPanelDesktop">
        <when-type-is class="com.bcntouch.ta.Addit.Bookmarklet.client.AdditPanel"/>
    </replace-with>

    <!-- mobile -->
    <replace-with class="com.bcntouch.ta.Addit.Bookmarklet.client.AdditPanelMobile">
        <when-type-is class="com.bcntouch.ta.Addit.Bookmarklet.client.AdditPanel"/>
        <when-property-is name="formfactor" value="mobile"/>
    </replace-with>     

    <!-- Deferred binding of product selector depending on form factor of device -->
    <!-- Default implementation is the "Desktop" one, used for "desktop" and "tablet" form factors -->
    <replace-with class="com.bcntouch.ta.Addit.Bookmarklet.client.ProductSelectorDesktop">
        <when-type-is class="com.bcntouch.ta.Addit.Bookmarklet.client.ProductSelector"/>
    </replace-with>

    <!-- Replace with a mobile implementation if mobile form factor detected -->
    <replace-with class="com.bcntouch.ta.Addit.Bookmarklet.client.ProductSelectorMobile">
        <when-type-is class="com.bcntouch.ta.Addit.Bookmarklet.client.ProductSelector"/>
        <when-property-is name="formfactor" value="mobile"/>
    </replace-with>

    <source path="client" />
    <source path="shared" />
    <public path="public" />

    <!-- style sheet references are relative to the module's folder in /war -->
    <stylesheet src="css/Addit.css" />

    <!-- Call this entry point so that on load the static method 'start' is exported 
         enabling the bookmarklet to call it to start the UI
    -->
    <entry-point class='com.bcntouch.ta.Addit.Bookmarklet.client.Bookmarklet' />

</module>

Original comment by andrew@mackenzie-serres.net on 13 Sep 2012 at 9:34

[GoogleCodeExporter]

I dont understand well the problem. I've installed the addit plugin from the 
store and added the elcorteingles.es page and everything went ok.

The extension adds many things to the page without problem: an iframe, a div 
and a script tag which seems to load a gwt-app compiled with either xs or 
xsiframe linkers. I suppose that they are using that linker because the 
extension of the 67BB50CEB47FA8532C6067193412BAA0.cache.js file is 'js'.

In your case running in dev-mode it seems you are using the standard linker 
since your file C37749D4F4226615FC5765953F6F7490.cache.html has an '.html' 
extension. So I dont think your gwt.xml file is the above one.

BTW: I have used gquery in chrome extensions (your extension does not use 
gwt-compiled js itself, but calls external gwt inserting a tag in the target 
page) without problem, I also have gquery working in widgets and embedded 
applications via iframe. 

Original comment by manuel.carrasco.m on 13 Sep 2012 at 10:57

[GoogleCodeExporter]

The version that's hosted on ta.bcntouch.com (and loaded from the Extension or 
Bookmarklet) works fine.

If I compile the identical GWT project, just adding the <inherit> for gwtquery, 
then it doesn't work.

That's definately my GWT XML file, just copied and pasted it from my source 
tree.

I suspect it's related to Cross-Domains and CORS.... I think you would need to 
try compiling a script using gwtquery, host it on one domain, and then inject 
it into the page from another domain, using a bookmarklet or extension to do 
that.....

Original comment by andrew@mackenzie-serres.net on 13 Sep 2012 at 11:06

[GoogleCodeExporter]

does your app fail when running it in a webserver instead of devmode?
if it fails, does the XXX.cache file a .js or a .html file?

Could you setup an example so as I could import in my eclipse and run in local 
to figure out the problem? I think a chrome extension (although I could hack 
the js of the addit in local), and the app loaded via script tag. 

Original comment by manuel.carrasco.m on 13 Sep 2012 at 11:23

[GoogleCodeExporter]

ping

Original comment by manuel.carrasco.m on 11 Feb 2013 at 1:56

[GoogleCodeExporter]

Thanks for reporting. I've migrated this issue to github : 
https://github.com/gwtquery/gwtquery/issues/147
Please follow the issue there.

Original comment by julien.d...@gmail.com on 15 Jul 2013 at 4:42

• Changed state: Done