问题
TL;DR: Can I switch off XSS protection in Internet Explorer in a controlled environment so I can manipulate the DOM inside IFRAMES?
I am creating a kiosk for our public computers in our reception area which allows our users to browse our website as well as a few other local government related sites (ones that help with planning, building licences etc).
The kiosk "application" itself consists of a menu at the top and an iframe at the bottom - the intent is that the menu is always there and allows users to select another site, log off, print, etc. Hence why the sites that they are browsing will appear in an iframe.
Some of these websites (our's included*), make pdf files and external links pop open in a new browser window. Obviously this will break the "kiosk" experience. What I want to know is; is there a way that I can bypass the XSS protection that prevents you from modifying the DOM of an IFRAME - so that I can force these windows to open in the current IFRAME instead?
Please understand that I don't want to "block" the popups, just have a greater degree of control as to the behaviour of the browsing session.
Also note: this application is designed to run in a known environment that we have complete control over (i.e. it's not like it has to work in the wild). So any suggestions that require plugins, registry hacks or third party applications are A-OKAY :)
*yes, I know, I know, I will fix the whole popup thing when I get to do a redesign later in the year
回答1:
If you are using IE, there are a few security options you can try to disable.
Open IE > Security > Custom Level
There are options labeled "Enable XSS Filter" and "Navigate windows and frames across different domains". Try and play with them.
回答2:
Just to close off this question and to allow others to find out about how you can solve this problem. I decided to write my kiosk as an HTML Application (HTA). This allows you to drill down into any IFRAMES, see what's in there, make changes if required, know when certain elements are focussed etc. Here is the link in case anyone finds this useful.
http://msdn.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx
来源:https://stackoverflow.com/questions/3332325/can-you-switch-off-xss-protection-in-ie7-so-that-an-intranet-application-can-kno